Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus/Malware Issues


  • This topic is locked This topic is locked
3 replies to this topic

#1 eribs4e

eribs4e

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 03 August 2010 - 07:05 PM

Hello fellow Geeks, I'm having some issues with a new virus/malware infection on my PC and I'm hoping someone can help. The things I've noticed regarding this infection are as follows:

- Occasional random popups in my browser. Usual to a page with links related to a recent google search. I use firefox and the pages open in firefox.
- A "Generic Host Process for Win32 Services has encountered an error....". This then results in my pc being unusable, requiring a hard reboot. This problem was occuring for approximately every 15-20 minutes for about 3-4 hours. I ran some virus scans and malwarebytes and it found some stuff which I removed. This issue has not happened again since.
- Can't access the microsoft windows update site to ensure my updates are current.
- All my system restore points were coming back as "unable to restore to this point". Not sure if this is related or not but the system restore points were working fine earlier (used a restore last week).

Here's a copy of my Hijackthis log. Thanx in advance.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 19:45:30, on 03/08/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesCheckPointSecuRemotebinSR_Service.exe
C:Program FilesCheckPointSecuRemotebinSR_Watchdog.exe
C:WINDOWSSystem32WLTRYSVC.EXE
C:WINDOWSSystem32bcmwltry.exe
C:WINDOWSsystem32spoolsv.exe
c:driversaudior213367stacsv.exe
C:Program FilesBroadcom CorporationBroadcom USH Host ComponentsCVbinHostControlService.exe
C:Program FilesBroadcom CorporationBroadcom USH Host ComponentsCVbinHostStorageService.exe
C:Program FilesCommon FilesAppleMobile Device SupportAppleMobileDeviceService.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesJavajre6binjqs.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:Program Fileslotusnotesntmulti.exe
C:WINDOWSsystem32nvsvc32.exe
C:Program FilesMicrosoftSearch Enhancement PackSeaPortSeaPort.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesWave Systems CorpTrusted Drive ManagerTdmService.exe
C:Program FilesCommon FilesMicrosoft SharedWindows LiveWLIDSVC.EXE
C:WINDOWSsystem32SearchIndexer.exe
C:Program FilesDellDell ControlPointDCPButtonSvc.exe
c:Program FilesDellDell ControlPointSystem ManagerDCPSysMgrSvc.exe
C:Program FilesIntelIntel Matrix Storage ManagerIAANTMon.exe
C:Program FilesWIDCOMMBluetooth Softwarebinbtwdins.exe
C:Program FilesCommon FilesMicrosoft SharedWindows LiveWLIDSvcM.exe
C:WINDOWSExplorer.EXE
C:Program FilesCheckPointSecuRemotebinSR_GUI.Exe
C:Program FilesSynapticsSynTPSynTPEnh.exe
C:Program FilesIDTWDMsttray.exe
C:WINDOWSsystem32AESTFltr.exe
C:WINDOWSsystem32rundll32.exe
C:WINDOWSsystem32RUNDLL32.EXE
C:WINDOWSOA001Mon.exe
C:Program FilesIntelIntel Matrix Storage Manageriaanotif.exe
C:WINDOWSsystem32WLTRAY.exe
C:Program FilesDellDell ControlPointDell.ControlPoint.exe
C:Program FilesWave Systems CorpServices ManagerDocmgrbinWavXDocMgr.exe
C:Program FilesDellDell ControlPointSecurity ManagerBcmDeviceAndTaskStatusService.exe
C:Program FilesCyberLinkPowerDVD DXPDVDDXSrv.exe
C:Program FilesDell WebcamDell Webcam CentralWebcamDell2.exe
C:Program FilesCommon FilesAdobeARM1.0AdobeARM.exe
C:WINDOWSSystem32spoolDRIVERSW32X863E_S4I2K1.EXE
C:Program FilesiTunesiTunesHelper.exe
C:Program FilesGoogleGoogle Talkgoogletalk.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesWIDCOMMBluetooth SoftwareBTTray.exe
C:Program FilesDellDell ControlPointSystem ManagerDCPSysMgr.exe
C:Documents and SettingsAll UsersStart MenuProgramsStartupPrintkey.exe
C:Program FilesWindows Desktop SearchWindowsSearch.exe
C:Program FileseRoom 7ERClient7.exe
C:Program FilesiPodbiniPodService.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesMozilla Firefoxplugin-container.exe
C:Documents and Settingse_ribeirMy DocumentsDownloadsHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page =
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:Program FilesMicrosoftSearch Enhancement PackSearch HelperSEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:Program FilesCommon FilesMicrosoft SharedWindows LiveWindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program FilesJavajre6binjp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:Program FilesWindows LiveToolbarwltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:Program FilesJavajre6libdeployjqsiejqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:Program FilesWindows LiveToolbarwltcore.dll
O4 - HKLM..Run: [SynTPEnh] C:Program FilesSynapticsSynTPSynTPEnh.exe
O4 - HKLM..Run: [SysTrayApp] %ProgramFiles%IDTWDMsttray.exe
O4 - HKLM..Run: [AESTFltr] %SystemRoot%system32AESTFltr.exe /NoDlg
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM..Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit
O4 - HKLM..Run: [OA001Mon] C:WINDOWSOA001Mon.exe
O4 - HKLM..Run: [IAAnotif] C:Program FilesIntelIntel Matrix Storage Manageriaanotif.exe
O4 - HKLM..Run: [Broadcom Wireless Manager UI] C:WINDOWSsystem32WLTRAY.exe
O4 - HKLM..Run: [DellControlPoint] "c:Program FilesDellDell ControlPointDell.ControlPoint.exe"
O4 - HKLM..Run: [ChangeTPMAuth] C:Program FilesWave Systems CorpCommonChangeTPMAuth.exe /T:NTRU12
O4 - HKLM..Run: [WavXMgr] C:Program FilesWave Systems CorpServices ManagerDocmgrbinWavXDocMgr.exe
O4 - HKLM..Run: [USCService] C:Program FilesDellDell ControlPointSecurity ManagerBcmDeviceAndTaskStatusService.exe
O4 - HKLM..Run: [PDVDDXSrv] "C:Program FilesCyberLinkPowerDVD DXPDVDDXSrv.exe"
O4 - HKLM..Run: [Dell Webcam Central] "C:Program FilesDell WebcamDell Webcam CentralWebcamDell2.exe" /mode2
O4 - HKLM..Run: [OfficeScanNT Monitor] "C:Program FilesTrend MicroOfficeScan Clientpccntmon.exe" -HideWindow
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program FilesAdobeReader 9.0ReaderReader_sl.exe"
O4 - HKLM..Run: [Adobe ARM] "C:Program FilesCommon FilesAdobeARM1.0AdobeARM.exe"
O4 - HKLM..Run: [EJ-HOMEEPSON Stylus Photo RX500] C:WINDOWSSystem32spoolDRIVERSW32X863E_S4I2K1.EXE /P34 "EJ-HOMEEPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [iTunesHelper] "C:Program FilesiTunesiTunesHelper.exe"
O4 - HKLM..Run: [googletalk] C:Program FilesGoogleGoogle Talkgoogletalk.exe /autostart
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - Startup: Monitor My eRooms (V7).lnk = C:Program FileseRoom 7ERClient7.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:Program FilesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Dell ControlPoint System Manager.lnk = C:Program FilesDellDell ControlPointSystem ManagerDCPSysMgr.exe
O4 - Global Startup: Printkey.exe
O4 - Global Startup: Windows Search.lnk = C:Program FilesWindows Desktop SearchWindowsSearch.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:Program FilesWindows LiveWriterWriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:Program FilesWindows LiveWriterWriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MI1933~1OFFICE11REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:Program FilesWIDCOMMBluetooth Softwarebtsendto_ie.htm
O9 - Extra 'Tools' menuit

Moderators please remove the multiple postings of the same topic. I was getting an error when posting, but it was obviously working.

I apologize for the inconvenience.

er

EDIT: Dupes taken care of, merged posts today ~ Hamluis.

Edited by hamluis, 04 August 2010 - 07:31 PM.


BC AdBot (Login to Remove)

 


#2 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:39 PM

Posted 11 August 2010 - 01:35 PM

Hello and welcome to Bleeping Computer.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please do the following:


Step # 1 Download and run DDS

Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop. Post them back to your topic.



  • Step # 2: Download and Run Gmer

    Please download gmer.zip from Gmer and save it to your desktop.

    ***Please close any open programs ***

    Double-click gmer.exe. The program will begin to run.

    **Caution**
    These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security Analyst


    If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.

    If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure that the 'Sections' button is ticked and the 'Show All' button is unticked.
    • Click the Scan button and let the program do its work. GMER will produce a log.
    • Once the scan is complete, you may receive another notice about rootkit activity.
    • Click OK.
    • GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

    DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

    Please post the results from the GMER scan in your reply.


    In your next post/reply, I need to see the following:

    1. The two DDS Logs (DDS and Attach.txt)
    2. The GMER Log

    Use multiple posts if you can't fit everything into one post

    MalWare Removal University Master

    Member of ASAP
    unite_Invision.png


    #3 km2357

    km2357

    • Malware Response Team
    • 1,784 posts
    • ONLINE
    •  
    • Gender:Male
    • Location:California
    • Local time:10:39 PM

    Posted 14 August 2010 - 12:22 PM

    eribs4e? Do you still need help?

    MalWare Removal University Master

    Member of ASAP
    unite_Invision.png


    #4 km2357

    km2357

    • Malware Response Team
    • 1,784 posts
    • ONLINE
    •  
    • Gender:Male
    • Location:California
    • Local time:10:39 PM

    Posted 17 August 2010 - 01:31 PM

    Due to the lack of feedback, this Topic is closed.

    If you need this topic reopened, please request this by sending the moderating team
    a PM with the address of the thread. This applies only to the original topic starter.

    Everyone else please begin a New Topic.

    MalWare Removal University Master

    Member of ASAP
    unite_Invision.png





    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users