Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hidden Process prevents malware, restore, security center, more


  • This topic is locked This topic is locked
3 replies to this topic

#1 SanDiegoDeb

SanDiegoDeb

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 11 October 2010 - 10:00 PM

At wits end! Something is preventing all my malware tools, plus firewall (including ics service), system restore, etc from running. I haven't been connected to the internet since this began (10/8/10). I'm posting this from a friend's machine.

Upon startup, the first strange thing is a Dr. Watson error report about a Generic Host Process for Win32 Services being terminated. Then the Windows Security Center is stopped by something and my firewall is disabled. Here are the details from that report:
C:\DOCUME~1\Owner\LOCALS~1\Temp\WERd322.dir00\svchost.exe.mdmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\WERd322.dir00\appcompat.txt

I can run malwarebytes, spybot, mssec and other tools ONLY IF i rename the exes, but the only thing they've found was trogen.agent.gen by malwarebytes two days ago and after it was removed the problems persisted. Now my malware tools find nothing. Here's the details from that infection:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1QLH3B5H\file_file[1].exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP446\A0026888.dll (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

When I run the Microsoft Malicious Software Removal tool (September version) it finds Win32/Alureon.h but tells me that it can only remove it partially. It then asks me to run malware tools - which I do but find nothing. Another run of the MSRT finds Alureon again.

Booting into Safe Mode doesn't help. I know I have a problem as soon as the Dr. Watson error report about a Generic Host Process being terminated pops up, I can't run my malware tools unless they've been renamed... and my desktop flashes strangely.

If I use rkill right before opening system restore, I can get it to do a restore (gotta time it just right). I've gone back to a few restore points but the problem persists.

I've tried malwarebytes, spybot, mssec, avg, windows defender, superantispyware and adaware to clean this problem - nothing helps. I've actually uninstalled avg, mssec and defender, thinking they may be part of the problem. I'm afraid to connect to the internet again until I clear this up. But my friend can copy files so I can install whatever I need (which is how I've gotten all the bleeping computer tools)

Thank you so very much to anyone who can help. System recover is my last resort if you all can't help. (If that'll even work!) Here are the logs you requested:

DDS (Ver_10-10-10.03) - NTFSx86
Run by Owner at 16:32:08.39 on Mon 10/11/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.650 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MozyHome\mozystat.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://srch-us7.hpwis.com/
uDefault_Page_URL = hxxp://us7.hpwis.com/
uDefault_Search_URL = hxxp://srch-us7.hpwis.com/
uSearch Bar = hxxp://srch-us7.hpwis.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://srch-us7.hpwis.com/
uInternet Connection Wizard,ShellNext = hxxp://us7.hpwis.com/
uInternet Settings,ProxyOverride = 127.0.0.1;localhost
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: ST: {9394ede7-c8b5-483e-8773-474bf36af6e4} - c:\program files\msn apps\st\01.03.0000.1005\en-xu\stmain.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: MSNToolBandBHO: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: hp toolkit: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\hp\explorebar\HPTOOLKT.DLL
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: hp toolkit: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [D-Link Wireless G WUA-1340] c:\program files\d-link\wireless g wua-1340\AirGCFG.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
dRun: [swg] c:\program files\google\googletoolbarnotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
mPolicies-explorer: <NO NAME> =
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: avg.com\free
Trusted Zone: avg.com\guru
Trusted Zone: avg.cz\bguru
Trusted Zone: avgfree.com\update
Trusted Zone: grisoft.cz\guru1
Trusted Zone: nbcolympics.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229556038562
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://206.168.252.204/activex/AxisCamControl.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38392.6069675926
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
DPF: {B3E451DC-DD2B-4ECD-B226-08FF692024B1} - hxxp://62.26.118.215/BMWeb/webinstaller.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - hxxp://by110fd.bay110.hotmail.msn.com/activex/HMAtchmt.ocx
Filter: text/html - {45b845f3-3e7b-4450-81c7-07e69ef05528} -
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: ms-its51 - {F6F1E82D-DE4D-11D2-875C-0000F8105754} - c:\program files\common files\microsoft shared\information retrieval\itss51.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-16 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 MLPTDR_Q;MLPTDR_Q;c:\windows\system32\MLPTDR_Q.SYS [2007-9-13 18848]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-12 1356952]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-16 15008]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\pc-doc~1\diagno~1\pcdrdrv.sys --> c:\progra~1\pc-doc~1\diagno~1\PCDRDRV.sys [?]

=============== Created Last 30 ================

2010-10-11 20:04:40 -------- d-----w- C:\75.tmp
2010-10-11 20:04:03 -------- d-----w- C:\74.tmp
2010-10-11 07:34:10 65536 ----a-w- c:\windows\~DFCCFB.tmp
2010-10-11 00:07:24 -------- d-----w- C:\73ad5d2e51f64f269da607f1
2010-10-10 22:40:30 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-10-10 04:30:04 -------- d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2010-10-10 04:29:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-09 17:19:36 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-10-09 17:19:36 -------- d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2010-08-30 16:57:54 11429880 ----a-w- c:\documents and settings\all users\Tempmozy-update-276de83018ab0bd479fed02f72221521.exe
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 12:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-17 09:42:29 73728 ----a-w- c:\windows\system32\javacpl.cpl

============= FINISH: 16:35:12.70 ===============

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-10-11 19:48:44
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fxldapob.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF76D987E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF76D9BFE]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\pci.sys entry point in ".rsrc" section [0xF7637994]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mozy.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 86EEDEC5

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\pci.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Hi Again-
I'm trying very hard to be patient as I know you all are so very busy but...

my computer was mistakenly allowed onto the internet again last night and many windows updates were downloaded. I'm not sure if they've been installed as I turned it off with the option of not installing them and now that it's back on (but not connected to the net!) I can't tell if they have been installed.

So - should I try to install them now? Should I rerun all my logs? Not sure. Please advise.

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 18 October 2010 - 12:47 AM.


BC AdBot (Login to Remove)

 


#2 SanDiegoDeb

SanDiegoDeb
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 19 October 2010 - 01:14 PM

At wits end! Something is preventing all my malware tools, plus firewall (including ics service), system restore, etc from running. I haven't been connected to the internet since this began (10/8/10). I'm posting this from a friend's machine.

Upon startup, the first strange thing is a Dr. Watson error report about a Generic Host Process for Win32 Services being terminated. Then the Windows Security Center is stopped by something and my firewall is disabled. Here are the details from that report:
C:DOCUME~1OwnerLOCALS~1TempWERd322.dir00svchost.exe.mdmp
C:DOCUME~1OwnerLOCALS~1TempWERd322.dir00appcompat.txt

I can run malwarebytes, spybot, mssec and other tools ONLY IF i rename the exes, but the only thing they've found was trogen.agent.gen by malwarebytes two days ago and after it was removed the problems persisted. Now my malware tools find nothing. Here's the details from that infection:
C:Documents and SettingsOwnerLocal SettingsTemporary Internet FilesContent.IE51QLH3B5Hfile_file[1].exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:System Volume Information_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}RP446A0026888.dll (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

When I run the Microsoft Malicious Software Removal tool (September version) it finds Win32/Alureon.h but tells me that it can only remove it partially. It then asks me to run malware tools - which I do but find nothing. Another run of the MSRT finds Alureon again.

Booting into Safe Mode doesn't help. I know I have a problem as soon as the Dr. Watson error report about a Generic Host Process being terminated pops up, I can't run my malware tools unless they've been renamed... and my desktop flashes strangely.

If I use rkill right before opening system restore, I can get it to do a restore (gotta time it just right). I've gone back to a few restore points but the problem persists.

I've tried malwarebytes, spybot, mssec, avg, windows defender, superantispyware and adaware to clean this problem - nothing helps. I've actually uninstalled avg, mssec and defender, thinking they may be part of the problem. I'm afraid to connect to the internet again until I clear this up. But my friend can copy files so I can install whatever I need (which is how I've gotten all the bleeping computer tools)

Thank you so very much to anyone who can help. System recover is my last resort if you all can't help. (If that'll even work!) Here are the logs you requested:

DDS (Ver_10-10-10.03) - NTFSx86
Run by Owner at 16:32:08.39 on Mon 10/11/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.650 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:WINDOWSsystem32spoolsv.exe
svchost.exe
C:Program FilesJavajre6binjqs.exe
C:Program FilesMozyHomemozybackup.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32wuauclt.exe
C:windowssystemhpsysdrv.exe
C:Program FilesHewlett-PackardHP Software UpdateHPWuSchd2.exe
C:HPKBDKBD.EXE
C:Program FilesD-LinkWireless G WUA-1340AirGCFG.exe
C:Program FilesANIANIWZCS2 ServiceWZCSLDR2.exe
C:Program FilesCommon FilesJavaJava Updatejusched.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesMozyHomemozystat.exe
C:WINDOWSsystem32wscntfy.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
C:Documents and SettingsOwnerDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://srch-us7.hpwis.com/
uDefault_Page_URL = hxxp://us7.hpwis.com/
uDefault_Search_URL = hxxp://srch-us7.hpwis.com/
uSearch Bar = hxxp://srch-us7.hpwis.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://srch-us7.hpwis.com/
uInternet Connection Wizard,ShellNext = hxxp://us7.hpwis.com/
uInternet Settings,ProxyOverride = 127.0.0.1;localhost
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filesadobeacrobat 7.0activexAcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:program filesavgavg9avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:progra~1spybot~1SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:program filescommon filesmicrosoft sharedwindows liveWindowsLiveLogin.dll
BHO: ST: {9394ede7-c8b5-483e-8773-474bf36af6e4} - c:program filesmsn appsst1.03.0000.1005en-xustmain.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:program filesgooglegoogletoolbar1.dll
BHO: MSNToolBandBHO: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:program filesmsn appsmsn toolbarmsn toolbar1.02.5000.1021en-usmsntb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
TB: hp toolkit: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:hpexplorebarHPTOOLKT.DLL
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:program filesgooglegoogletoolbar1.dll
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:program filesmsn appsmsn toolbarmsn toolbar1.02.5000.1021en-usmsntb.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: hp toolkit: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:windowssystem32Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
mRun: [hpsysdrv] c:windowssystemhpsysdrv.exe
mRun: [HotKeysCmds] c:windowssystem32hkcmd.exe
mRun: [HP Software Update] c:program fileshewlett-packardhp software updateHPWuSchd2.exe
mRun: [IgfxTray] c:windowssystem32igfxtray.exe
mRun: [KBD] c:hpkbdKBD.EXE
mRun: [D-Link Wireless G WUA-1340] c:program filesd-linkwireless g wua-1340AirGCFG.exe
mRun: [ANIWZCS2Service] c:program filesanianiwzcs2 serviceWZCSLDR2.exe
mRun: [Ad-Watch] c:program fileslavasoftad-awareAAWTray.exe
mRun: [SunJavaUpdateSched] "c:program filescommon filesjavajava updatejusched.exe"
mRun: [Recguard] c:windowssminstRECGUARD.EXE
dRun: [swg] c:program filesgooglegoogletoolbarnotifier1.2.1128.5462GoogleToolbarNotifier.exe
dRun: [DWQueuedReporting] "c:progra~1common~1micros~1dwdwtrig20.exe" -t
StartupFolder: c:docume~1alluse~1startm~1programsstartupmozyho~1.lnk - c:program filesmozyhomemozystat.exe
mPolicies-explorer: <NO NAME> =
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:progra~1spybot~1SDHelper.dll
Trusted Zone: avg.comfree
Trusted Zone: avg.comguru
Trusted Zone: avg.czbguru
Trusted Zone: avgfree.comupdate
Trusted Zone: grisoft.czguru1
Trusted Zone: nbcolympics.comwww
DPF: DirectAnimation Java Classes - file://c:windowsjavaclassesdajava.cab
DPF: Microsoft XML Parser for Java - file://c:windowsjavaclassesxmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229556038562
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://206.168.252.204/activex/AxisCamControl.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38392.6069675926
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
DPF: {B3E451DC-DD2B-4ECD-B226-08FF692024B1} - hxxp://62.26.118.215/BMWeb/webinstaller.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - hxxp://by110fd.bay110.hotmail.msn.com/activex/HMAtchmt.ocx
Filter: text/html - {45b845f3-3e7b-4450-81c7-07e69ef05528} -
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:program fileshphpcoretechcomphpuiprot.dll
Handler: ms-its51 - {F6F1E82D-DE4D-11D2-875C-0000F8105754} - c:program filescommon filesmicrosoft sharedinformation retrievalitss51.dll
Notify: !SASWinLogon - c:program filessuperantispywareSASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:program filessuperantispywareSASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:windowssystem32driversLbd.sys [2009-2-16 64288]
R1 SASDIFSV;SASDIFSV;c:program filessuperantispywaresasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:program filessuperantispywareSASKUTIL.SYS [2010-5-10 67656]
R2 MLPTDR_Q;MLPTDR_Q;c:windowssystem32MLPTDR_Q.SYS [2007-9-13 18848]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:program fileslavasoftad-awareAAWService.exe [2010-7-12 1356952]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:program fileslavasoftad-awarekernexplorer.sys [2010-8-16 15008]
S3 PCDRDRV;Pcdr Helper Driver;??c:progra~1pc-doc~1diagno~1pcdrdrv.sys --> c:progra~1pc-doc~1diagno~1PCDRDRV.sys [?]

=============== Created Last 30 ================

2010-10-11 20:04:40 -------- d-----w- C:75.tmp
2010-10-11 20:04:03 -------- d-----w- C:74.tmp
2010-10-11 07:34:10 65536 ----a-w- c:windows~DFCCFB.tmp
2010-10-11 00:07:24 -------- d-----w- C:73ad5d2e51f64f269da607f1
2010-10-10 22:40:30 -------- d-----w- c:docume~1alluse~1applic~1SUPERAntiSpyware.com
2010-10-10 04:30:04 -------- d-----w- c:docume~1ownerapplic~1SUPERAntiSpyware.com
2010-10-10 04:29:22 -------- d-----w- c:program filesSUPERAntiSpyware
2010-10-09 17:19:36 -------- d-----w- c:windowssystem32wbemrepositoryFS
2010-10-09 17:19:36 -------- d-----w- c:windowssystem32wbemRepository

==================== Find3M ====================

2010-08-30 16:57:54 11429880 ----a-w- c:documents and settingsall usersTempmozy-update-276de83018ab0bd479fed02f72221521.exe
2010-08-17 13:17:06 58880 ----a-w- c:windowssystem32spoolsv.exe
2010-07-22 15:49:15 590848 ----a-w- c:windowssystem32rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:windowssystem32xpsp4res.dll
2010-07-17 12:00:04 423656 ----a-w- c:windowssystem32deployJava1.dll
2010-07-17 09:42:29 73728 ----a-w- c:windowssystem32javacpl.cpl

============= FINISH: 16:35:12.70 ===============

GMER 1.0.15.15281 - <a href="http://www.gmer.net" target="_blank" rel="nofollow">http://www.gmer.net</a>
Rootkit scan 2010-10-11 19:48:44
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:DOCUME~1OwnerLOCALS~1Tempfxldapob.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF76D987E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF76D9BFE]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:WINDOWSsystem32driverspci.sys entry point in ".rsrc" section [0xF7637994]

---- Devices - GMER 1.0.15 ----

AttachedDevice FileSystemNtfs Ntfs mozy.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice FileSystemFastfat Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> Driveratapi DeviceHarddisk0DR0 86EEDEC5

---- Files - GMER 1.0.15 ----

File C:WINDOWSsystem32driverspci.sys suspicious modification
File C:WINDOWSsystem32driversatapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Hi Again-
I'm trying very hard to be patient as I know you all are so very busy but...

my computer was mistakenly allowed onto the internet again last night and many windows updates were downloaded. I'm not sure if they've been installed as I turned it off with the option of not installing them and now that it's back on (but not connected to the net!) I can't tell if they have been installed.

So - should I try to install them now? Should I rerun all my logs? Not sure. Please advise.

<b>EDIT: Posts merged ~BP</b>


OK - needed to get computer back so I attempted to fix using tips I learned on this site and I think it worked!
I ran tdsskiller and it found and killed something - see attached file for info.

Then I reinstalled MS Security Essentials and it found and killed some java exploits.

Now everything runs clean and all symptoms are gone. My firewall is staying up and I've reconnected to the net.

So - I reran DDS and GMER and have attached the logs. If someone would like to take a look to see that I've got
all the bad stuff off, I'd really appreciate it. Otherwise, just feel free to close this topic. Thanks!

Attached File  DDS2.txt   12.45KB   1 downloadsAttached File  Attach2.zip   4.97KB   1 downloadsAttached File  ark2.log   674bytes   0 downloadsAttached File  TDSSKiller.log   37.1KB   0 downloads

#3 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:12:46 AM

Posted 20 October 2010 - 08:26 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


PW

#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:46 AM

Posted 26 October 2010 - 02:39 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users