Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Antivirus Soft- Unable to acquire IP address and nonfunctioning Wireless Keyboard


  • This topic is locked This topic is locked
34 replies to this topic

#1 wmaxwell

wmaxwell

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 31 May 2010 - 11:50 AM

I ended up with Antivirus Soft. I used rkill and Malwarebytes in safe mode (administrator). After it removed several infections. I rebooted in normal mode. The wireless keyboard would not work (the wireless mouse using the same USB dongle works fine) and the network connection was acquiring an IP address (never aquired).
Ran rkill and Malwarebytes in normal mode and my user name in safe mode. It cleared up some additional infections in my user name safe (none as I recall in my user name in normal mode). Ran Spyware Doctor. It found Spyware.Known_Bad_Sites. Since it wasn't going to remove it without buying the full version (and still not solve the problem). I've since run Dr Web Cureit (removed Backdoor.Tdss.565) and Cool Cleaner. No change. The keyboard works in safe mode. Currently the Hardware Device Manager says "Windows cannot load the device for this hardware because a previous instance of the device is still in memory (Code 38). I've uninstalled and reinstalled from the original disk- no change. I'm currently using a wired keyboard.The network works in safe mode intermittently. Sometimes (once every 4 or 5 boots) It boots up normally (blue task bar; network operates) Occasionally it doesn't appear normal (wallpaper comes up without taskbar, much later a grey taskbar shows up, dog slow) but the network does work. Most of the time it doesn't have any network connection (aquiring IP address) An additional piece of info (perhaps worthless), a month or so ago I had an error upon boot-up indicating that operating system wasn't on the drive. After reloading windows I realized that the drives had switched letters. I physically changed the drive connections to the motherboard to return the drives to their original drive letters. I having to do this from my laptop and had to replace the cable modem (dying).




DDS (Ver_10-03-17.01) - NTFSx86
Run by Walter J. Maxwell at 18:31:13.21 on Sun 05/30/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1481 [GMT -5:00]

AV: avast! antivirus 4.8.1368 [VPS 100530-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\MICROS~4\wcescomm.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Walter J. Maxwell\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mediacomtoday.com/
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [H/PC Connection Agent] "c:\progra~1\micros~4\wcescomm.exe"
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Sunkist2k] c:\program files\multimedia card reader\shwicon2k.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exe
mRun: [Iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exe
mRun: [Deskup] c:\program files\iomega\driveicons\deskup.exe /IMGSTART
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [<NO NAME>]
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [LGODDFU] "c:\program files\lg_fwupdate\fwupdate.exe" blrun
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: intuit.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-13 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-13 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2007-12-27 138680]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-1-16 161064]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2007-12-27 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2007-12-27 352920]
S2 gupdate1ca26bd67db07c4;Google Update Service (gupdate1ca26bd67db07c4);c:\program files\google\update\GoogleUpdate.exe [2009-8-26 133104]
S3 PVUSB;CESG502 USB Driver;c:\windows\system32\drivers\CESG502.SYS [2009-8-16 40672]

=============== Created Last 30 ================

2010-05-30 14:32:58 0 ----a-w- c:\documents and settings\walter j. maxwell\defogger_reenable
2010-05-30 00:28:34 0 d-----w- c:\documents and settings\walter j. maxwell\DoctorWeb
2010-05-29 23:11:34 0 d-----w- c:\program files\Microsoft IntelliType Pro
2010-05-29 15:01:44 0 d-----w- c:\windows\pss
2010-05-29 03:58:22 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-05-29 03:58:22 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-05-29 03:56:23 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2010-05-29 01:59:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-29 01:59:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-29 01:59:45 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-27 02:06:15 0 d-----w- c:\docume~1\walter~1.max\applic~1\Malwarebytes
2010-05-27 01:07:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-27 01:05:37 363520 ----a-w- C:\rkill.com
2010-05-27 00:59:17 6153352 ----a-w- C:\mbam-setup.exe

==================== Find3M ====================

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2008-08-23 00:00:47 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082220080823\index.dat

============= FINISH: 18:32:19.84 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:49 PM

Posted 02 June 2010 - 03:34 PM

Hi and welcome. smile.gif

My name is Extremeboy (or EB for short), and I will be helping you with your log. I apologize for the delay.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a GMER log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or GMER log please refer to this page and in step #6 and Step #7 and Step #8 for further instructions on downloading and running DDS & GMER. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-GMER log
-Description of any remaining problems you may still have.


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 wmaxwell

wmaxwell
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 02 June 2010 - 09:49 PM

Thanks for the help.
The wireless keyboard still does not work. Currently the Hardware Device Manager says "Windows cannot load the device for this hardware because a previous instance of the device is still in memory (Code 38). However this time the network connection acquired an IP address and I was able to get to the internet.
This time the wallpaper comes up without taskbar, much later a grey taskbar shows up, dog slow and the network did work. It didn't stay through the spontaneous reboot. The DDR required three tries- first the process shut down, the second the computer rebooted prior to completion, the last one made it to the end. Additionally after the reboot the windows firewall was turned off.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Walter J. Maxwell at 19:42:00.10 on Wed 06/02/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1489 [GMT -5:00]

AV: avast! antivirus 4.8.1368 [VPS 100602-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\MICROS~4\wcescomm.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Walter J. Maxwell\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mediacomtoday.com/
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [H/PC Connection Agent] "c:\progra~1\micros~4\wcescomm.exe"
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Sunkist2k] c:\program files\multimedia card reader\shwicon2k.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exe
mRun: [Iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exe
mRun: [Deskup] c:\program files\iomega\driveicons\deskup.exe /IMGSTART
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [<NO NAME>]
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [LGODDFU] "c:\program files\lg_fwupdate\fwupdate.exe" blrun
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: intuit.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-13 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-13 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2007-12-27 138680]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-1-16 161064]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2007-12-27 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2007-12-27 352920]
S2 gupdate1ca26bd67db07c4;Google Update Service (gupdate1ca26bd67db07c4);c:\program files\google\update\GoogleUpdate.exe [2009-8-26 133104]
S3 PVUSB;CESG502 USB Driver;c:\windows\system32\drivers\CESG502.SYS [2009-8-16 40672]

=============== Created Last 30 ================

2010-05-30 14:32:58 0 ----a-w- c:\documents and settings\walter j. maxwell\defogger_reenable
2010-05-30 00:28:34 0 d-----w- c:\documents and settings\walter j. maxwell\DoctorWeb
2010-05-29 23:11:34 0 d-----w- c:\program files\Microsoft IntelliType Pro
2010-05-29 15:01:44 0 d-----w- c:\windows\pss
2010-05-29 03:58:22 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-05-29 03:58:22 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-05-29 03:56:23 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2010-05-29 01:59:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-29 01:59:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-29 01:59:45 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-27 02:06:15 0 d-----w- c:\docume~1\walter~1.max\applic~1\Malwarebytes
2010-05-27 01:07:10 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-27 01:05:37 363520 ----a-w- C:\rkill.com
2010-05-27 00:59:17 6153352 ----a-w- C:\mbam-setup.exe

==================== Find3M ====================

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2008-08-23 00:00:47 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082220080823\index.dat

============= FINISH: 19:43:12.03 ===============

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:49 PM

Posted 03 June 2010 - 02:54 PM

Hello again. smile.gif

Thanks for the description.

From the logs, I see a driver that seems to be patched relating to one of the TLD3 rootkit infection.

Let's start off with Combofix.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 wmaxwell

wmaxwell
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 03 June 2010 - 07:15 PM

I ran ComboFix. However it stated that Avast was still active thogh I had disabled it. It also ran after finding that I didn't have Recovery Console (clicked "No" when prompted to have ComboFix install it since I doidn't have an internet connection). Should I install Recovery Console from my XP Disk?

Again, Thanks
Here's the Log

ComboFix 10-06-03.01 - Walter J. Maxwell 06/03/2010 19:50:04.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1589 [GMT -5:00]
Running from: c:\documents and settings\Walter J. Maxwell\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100602-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2010-05-04 to 2010-06-04 )))))))))))))))))))))))))))))))
.

2010-05-30 00:28 . 2010-05-30 00:28 -------- d-----w- c:\documents and settings\Walter J. Maxwell\DoctorWeb
2010-05-29 23:11 . 2010-05-29 23:11 -------- d-----w- c:\program files\Microsoft IntelliType Pro
2010-05-29 15:09 . 2010-05-29 15:09 -------- d-----w- c:\documents and settings\Walter J. Maxwell\Local Settings\Application Data\Threat Expert
2010-05-29 14:50 . 2010-05-29 20:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-29 03:56 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2010-05-29 01:59 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-29 01:59 . 2010-05-29 13:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-29 01:59 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-28 02:52 . 2010-05-28 02:52 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-05-27 02:06 . 2010-05-27 02:06 -------- d-----w- c:\documents and settings\Walter J. Maxwell\Application Data\Malwarebytes
2010-05-27 01:07 . 2010-05-27 01:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-05-27 01:07 . 2010-05-27 01:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-27 01:05 . 2010-05-27 01:04 363520 ----a-w- C:\rkill.com
2010-05-27 00:59 . 2010-05-27 00:52 6153352 ----a-w- C:\mbam-setup.exe
2010-05-27 00:56 . 2010-05-27 00:56 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-05-27 00:11 . 2010-05-27 02:00 -------- d-----w- c:\documents and settings\Walter J. Maxwell\Local Settings\Application Data\qwljeywju

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-04 00:34 . 2009-10-11 18:00 -------- d-----w- c:\program files\lg_fwupdate
2010-05-29 03:58 . 2010-05-29 03:58 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-05-29 03:58 . 2010-05-29 03:58 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-05-17 22:55 . 2007-12-27 22:21 -------- d-----w- c:\program files\Google
2010-05-12 02:11 . 2009-07-18 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-24 02:41 . 2008-01-07 01:20 -------- d-----w- c:\documents and settings\Walter J. Maxwell\Application Data\Apple Computer
2010-04-23 14:01 . 2010-04-23 14:01 -------- d-----w- c:\program files\iTunes
2010-04-23 14:01 . 2010-04-23 14:01 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-23 14:01 . 2010-04-23 14:01 -------- d-----w- c:\program files\iPod
2010-04-23 14:01 . 2009-06-19 13:12 -------- d-----w- c:\program files\Common Files\Apple
2010-04-23 13:59 . 2010-04-23 13:58 -------- d-----w- c:\program files\QuickTime
2010-04-23 13:56 . 2010-04-23 13:56 -------- d-----w- c:\program files\Bonjour
2010-04-23 13:53 . 2010-04-23 13:53 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-03-28 02:35 . 2010-01-24 19:48 1266464 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-10 06:15 . 2007-07-27 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-21 68856]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-12-05 2295072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"nwiz"="nwiz.exe" [2007-12-05 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 77824]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-12-10 139264]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]
"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-02 65536]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-01-16 181544]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-11-26 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-11-26 1057064]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2010-01-19 557056]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/13/2008 4:29 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/13/2008 4:29 PM 20560]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 4:31 PM 161064]
S2 gupdate1ca26bd67db07c4;Google Update Service (gupdate1ca26bd67db07c4);c:\program files\Google\Update\GoogleUpdate.exe [8/26/2009 9:23 PM 133104]
S3 PVUSB;CESG502 USB Driver;c:\windows\system32\drivers\CESG502.SYS [8/16/2009 12:33 PM 40672]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-12-05 17:27 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-06-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-27 02:23]

2010-06-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-27 02:23]

2010-06-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-27 02:23]

2010-06-03 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mediacomtoday.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-03 19:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-484763869-1482476501-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:72,11,40,de,3f,36,38,58,6e,fa,02,55,54,d8,39,f8,08,84,5f,6f,ff,c8,b1,
b6,8e,55,e7,6e,d4,de,f5,6a,75,7f,11,5a,a6,43,32,44,b3,99,21,e5,a7,d5,d8,fd,\
"??"=hex:3a,4e,f6,46,b1,d0,05,a0,4d,37,56,54,79,1b,b8,48
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(792)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3772)
c:\windows\system32\WININET.dll
c:\program files\Iomega\DriveIcons\IMGHOOK.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-06-03 20:04:01
ComboFix-quarantined-files.txt 2010-06-04 01:03

Pre-Run: 220,453,695,488 bytes free
Post-Run: 220,901,801,984 bytes free

- - End Of File - - AE0BA885C0AF097CB1617FF9A4B6DD87


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:49 PM

Posted 05 June 2010 - 11:27 AM

Hello again,

I'm sorry about the delay had some other work that needed to be done.

Let's continue here.

Can I ask you why your internet does not work on your infected machine currently? How did this happen? Any description etc...?

Yes, you can use your Windows XP Disk to install it. Please go here and under the Installing/Running the Windows Recovery Console: follow the instructions on installing it using your Windows XP Disk. Do not boot into the Recovery Console but just install it.

Once it's done installing, reboot your computer and run Combofix once more please.

Thanks.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 wmaxwell

wmaxwell
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 05 June 2010 - 07:33 PM

As noted in my original post, after using malwarebytes in safe mode (administrator) to remove Antivirus Soft upon rebooting the network would attempt to aquire an IP address along with the inability to use the wireless keyboard. This situation would change occasionally upon re-boot. Currently the network connection shows connected and firewalled yet I'm unable to get to the internet or the Router. The Device manager lists the net adapter as Nvidia nForce Networking Controller #2, the network connections page shows "network Connection 6" but when open the configure tab it lists Nvidia nForce Networking Controller #2. Each time I reboot the computer, I never know whether it will come up normally ( Blue Task bar displayed approximately the same time as the walpaper-rare) or busted (gray task bar displayed much later than the wallpaper with a busted keybord connection and internet connection- frequent). Sometimes in the busted mode the network connection is available. Also sometimes the firewall is turned off. When I try to install Windows XP Recovery Console from the CD it warns that "Setup cannot continue because the version of Windows on your computer is newer than the version on the CD. To erase the newer version and install the older version, restart the computer, reboot from this CD, and follow the instructions for a new installation." Since I cannot reach the internet, it had to skip the Dynamic update step.

In the mean time my laptop now has Sysinternals Antivirus popping up.

ComboFix 10-06-03.01 - Walter J. Maxwell 06/05/2010 20:09:51.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1476 [GMT -5:00]
Running from: c:\documents and settings\Walter J. Maxwell\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100602-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-05-06 to 2010-06-06 )))))))))))))))))))))))))))))))
.

2010-05-30 00:28 . 2010-05-30 00:28 -------- d-----w- c:\documents and settings\Walter J. Maxwell\DoctorWeb
2010-05-29 23:11 . 2010-05-29 23:11 -------- d-----w- c:\program files\Microsoft IntelliType Pro
2010-05-29 15:09 . 2010-05-29 15:09 -------- d-----w- c:\documents and settings\Walter J. Maxwell\Local Settings\Application Data\Threat Expert
2010-05-29 14:50 . 2010-05-29 20:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-29 03:56 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2010-05-29 01:59 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-29 01:59 . 2010-05-29 13:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-29 01:59 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-28 02:52 . 2010-05-28 02:52 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-05-27 02:06 . 2010-05-27 02:06 -------- d-----w- c:\documents and settings\Walter J. Maxwell\Application Data\Malwarebytes
2010-05-27 01:07 . 2010-05-27 01:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-05-27 01:07 . 2010-05-27 01:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-27 01:05 . 2010-05-27 01:04 363520 ----a-w- C:\rkill.com
2010-05-27 00:59 . 2010-05-27 00:52 6153352 ----a-w- C:\mbam-setup.exe
2010-05-27 00:56 . 2010-05-27 00:56 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-05-27 00:11 . 2010-05-27 02:00 -------- d-----w- c:\documents and settings\Walter J. Maxwell\Local Settings\Application Data\qwljeywju

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-06 01:03 . 2009-10-11 18:00 -------- d-----w- c:\program files\lg_fwupdate
2010-05-29 03:58 . 2010-05-29 03:58 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2010-05-29 03:58 . 2010-05-29 03:58 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-05-17 22:55 . 2007-12-27 22:21 -------- d-----w- c:\program files\Google
2010-05-12 02:11 . 2009-07-18 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-24 02:41 . 2008-01-07 01:20 -------- d-----w- c:\documents and settings\Walter J. Maxwell\Application Data\Apple Computer
2010-04-23 14:01 . 2010-04-23 14:01 -------- d-----w- c:\program files\iTunes
2010-04-23 14:01 . 2010-04-23 14:01 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-23 14:01 . 2010-04-23 14:01 -------- d-----w- c:\program files\iPod
2010-04-23 14:01 . 2009-06-19 13:12 -------- d-----w- c:\program files\Common Files\Apple
2010-04-23 13:59 . 2010-04-23 13:58 -------- d-----w- c:\program files\QuickTime
2010-04-23 13:56 . 2010-04-23 13:56 -------- d-----w- c:\program files\Bonjour
2010-04-23 13:53 . 2010-04-23 13:53 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-03-28 02:35 . 2010-01-24 19:48 1266464 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-10 06:15 . 2007-07-27 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-06-04_00.59.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-06 00:59 . 2010-06-06 00:59 16384 c:\windows\Temp\Perflib_Perfdata_650.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-21 68856]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-12-05 2295072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"nwiz"="nwiz.exe" [2007-12-05 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 77824]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2004-12-10 139264]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]
"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-02 65536]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-01-16 181544]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-11-26 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-11-26 1057064]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2010-01-19 557056]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [4/13/2008 4:29 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/13/2008 4:29 PM 20560]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 4:31 PM 161064]
S2 gupdate1ca26bd67db07c4;Google Update Service (gupdate1ca26bd67db07c4);c:\program files\Google\Update\GoogleUpdate.exe [8/26/2009 9:23 PM 133104]
S3 PVUSB;CESG502 USB Driver;c:\windows\system32\drivers\CESG502.SYS [8/16/2009 12:33 PM 40672]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-12-05 17:27 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-06-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-27 02:23]

2010-06-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-27 02:23]

2010-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-27 02:23]

2010-06-03 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mediacomtoday.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-05 20:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-484763869-1482476501-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:72,11,40,de,3f,36,38,58,6e,fa,02,55,54,d8,39,f8,08,84,5f,6f,ff,c8,b1,
b6,8e,55,e7,6e,d4,de,f5,6a,75,7f,11,5a,a6,43,32,44,b3,99,21,e5,a7,d5,d8,fd,\
"??"=hex:3a,4e,f6,46,b1,d0,05,a0,4d,37,56,54,79,1b,b8,48
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(796)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1096)
c:\windows\system32\WININET.dll
c:\program files\Iomega\DriveIcons\IMGHOOK.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-06-05 20:27:10
ComboFix-quarantined-files.txt 2010-06-06 01:27
ComboFix2.txt 2010-06-04 01:04

Pre-Run: 220,900,593,664 bytes free
Post-Run: 220,858,667,008 bytes free

- - End Of File - - 002766981D1F5D2CF9C53F481BDBF7C5


#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:49 PM

Posted 05 June 2010 - 09:25 PM

Hello.

Thanks for the description.

QUOTE
In the mean time my laptop now has Sysinternals Antivirus popping up.

What do you mean by that?

So far, it the logs appear to look good now.

I want to make sure, so could you run a GMER scan once more like before.

Thanks.


Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 wmaxwell

wmaxwell
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 06 June 2010 - 06:20 AM

While waiting for the other computer to finish processing Combofix the laptop started with the Sysinternals Antivirus pop-ups. I looked the removal process up and ran rkill.com and Malwarebytes Anti-malware. It found approximately 30 items. Upon rebooting an error message popped up " Error Loading C:\Windows\Wlbdyct.dll. The specified module could not be found." Also pior and since Norton (outdated) warns " Norton Internet Worm Protection detected and blocked an intrusion attempt" I clicked on the details button and "Intrusion:HTTPS Tidserv Request 2" and Intruder lili6bo.com (91.212.226.59) was provided. Another was Intrusion:HTTPS Tidserv Request 2" and Intruder n16fa53.com (202.157.171.207)(https(443)) Risk Level High Protocol: TCP Attacked Port 1600. The windows error message has not repeated.

Attached Files

  • Attached File  ark.txt   8.21KB   8 downloads


#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:49 PM

Posted 06 June 2010 - 02:18 PM

Thanks for the description. The error related to the "Error Loading" was because the file was gone and was just a empty registry key pointing to it.

The GMER log looks fine.

How's your computer running now? Any warning from Norton still?

Also, could you do the following to restore the internet settings that have been modified...


In Internet Explorer: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings".
In Firefox Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection >> set to "No Proxy".

Apply the changes and restart your computer.

QUOTE
While waiting for the other computer to finish processing Combofix the laptop started with the Sysinternals Antivirus pop-ups.

Are we dealing with 2 sepearte computers here? I'm a bit confused with that statement.

Let me know.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 wmaxwell

wmaxwell
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 06 June 2010 - 04:07 PM

Sorry about that. Yes I am talking about two different computers. The first computer hasn't changed. The proxy setting wasn't checked. I checked the use automatic settings and it went back to acquiring new IP address- unable to acquire. The keyboard entry on device manager is still broken and the computer does not appear to boot up normally ie blue task bar appearing approximately at the same time that the wallpaper appears. Currently the task bar is grey. Remained that way after changing the settings and re-booting.

The computer with the Sysinternals Antivirus is the laptop I've been using to post and transfer the files from the desktop (original infected computer). To reiterate on the laptop used rkill and Malwarebytes Anti-malware. The error about the dll file and Norton warnings about the worm (Tidserv Request 2) are about the laptop.

I'm currently using a second laptop (Wife's) to send you this reply.

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:49 PM

Posted 06 June 2010 - 06:31 PM

Hello.

So to get this straight here,

You appear to have 2 machines infected now?
Which one are we dealing with right now the logs you are posting?

We only deal with one computer at a time, to avoid confusions such as this and any other problems.

Give me an update of the condition of the infected machine that we were dealing with initially. Internet and the Wireless Keyboard still doesn't work? Is that it?

Thanks.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 wmaxwell

wmaxwell
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 06 June 2010 - 07:13 PM

Yes. The computer with the initial infection is essentially unchanged. It may respond a little faster after booting than before but the problem I had when I posted originally haven't significantly changed. I posted the information about the second computer in case that information would be useful to you.

Thanks for your quick response.


#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:49 PM

Posted 06 June 2010 - 07:49 PM

I don't see any infections any longer on that computer.

Have you tried re-installing the drivers relating to your internet/keyboard?
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 wmaxwell

wmaxwell
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 06 June 2010 - 08:25 PM

I re-installed the drivers for the keyboard (no change) but I didn't try the NIC adapter. The odd thing about a driver issue is that the keyboard works (worked) in safe mode. Also, the network would work occasionally and appeared to work in safe mode, at least initially. Also, it still doesn't appear to boot properly.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users