Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fighting continued symptoms including "Generic Host Process for Win32 Services" error after removing Security Tool and ThinkPoint infections


  • This topic is locked This topic is locked
1 reply to this topic

#1 NeilB

NeilB

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 22 November 2010 - 06:28 PM

Successfully (??) removed SecurityTool and ThinkPoint infections on Friday using the helpful links, tools, and instructions from this website (thanks for everything so far !!) Have since installed Norton IS, to hopefuly head off further infections.

However am still struggling with side effects, don't know if they're related. Am seeing frequent "Generic Host Process for Win32 Services" errors stating a need to close.

Seeing effects on my XP Pro machine very similar to those reported in stumpedinhere's thread, post #2 from 20 Nov, e.g. "Symptoms: IE would open but would hang forever in "Connecting..." state for any URL. Windows Update blocked. Windows could never completely shut down itself without hanging and requiring manual poweroff." I found and downloaded the "lspfix" utility that the son-in-law used, but it found nothing.

Have run assorted utilities as recommended prior to posting including Defogger, DDS, and GMER. Log files embedded and/or attached.

DDS log:

DDS (Ver_10-11-10.01) - NTFSx86
Run by The Berrys at 17:09:32.45 on Mon 11/22/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2942.2124 [GMT -5:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Portrait Displays\HP Display Assistant\DTHtml.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\HPLiteSaver.exe
C:\Program Files\NETGEAR\WN111\wn111.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Companion\Installs\cpn1\ytbb.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Documents and Settings\The Berrys\Desktop\Defogger.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\The Berrys\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Page =
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant =
mSearchAssistant =
mCustomizeSearch = hxxp://toolbar.inbox.com/help/sa_customize.aspx?tbid=80229
uURLSearchHooks: N/A: {d3d233d5-9f6d-436c-b6c7-e63f77503b30} - c:\progra~1\inboxt~1\Inbox.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.8.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.8.0.5\IPSBHO.DLL
BHO: : {d3d233d5-9f6d-436c-b6c7-e63f77503b30} - c:\progra~1\inboxt~1\Inbox.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: &Inbox Toolbar: {d7e97865-918f-41e4-9cd0-25ab1c574ce8} - c:\progra~1\inboxt~1\Inbox.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.8.0.5\coIEPlg.dll
EB: {03C1C47F-0538-4645-8372-D3109B9FC636} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Inowobesitefe] rundll32.exe "c:\windows\mpmowpv.dll",Startup
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [DT HWP] c:\program files\portrait displays\hp display assistant\DTHtml.exe -startup_folder
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SetRefresh] c:\program files\compaq\setrefresh\\SetRefresh.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Kkerera] rundll32.exe "c:\windows\asewemululefari.dll",Startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdisp~1.lnk - c:\windows\HPLiteSaver.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wn111\wn111.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo2.walgreens.com/WalgreensActivia.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - c:\progra~1\inboxt~1\Inbox.dll
Notify: AtiExtEvent - Ati2evxx.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1108000.005\symds.sys [2010-11-21 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1108000.005\symefa.sys [2010-11-21 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20101104.001\BHDrvx86.sys [2010-11-4 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1108000.005\cchpx86.sys [2010-11-21 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1108000.005\ironx86.sys [2010-11-21 116784]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.8.0.5\ccsvchst.exe [2010-11-21 126392]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2008-7-19 576536]
R2 SWIHPWMI;SWIHPWMI;c:\program files\hpq\shared\sierra wireless\win32\unicode\SWIHPWMI.exe [2006-12-4 292384]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-11-20 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20101119.001\IDSXpx86.sys [2010-10-19 341880]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20101122.002\NAVENG.SYS [2010-11-22 86064]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20101122.002\NAVEX15.SYS [2010-11-22 1371184]
S3 HP24X;HP PC Card Smart Card Reader;c:\windows\system32\drivers\HP24X.sys [2008-7-19 33024]

=============== Created Last 30 ================

2010-11-22 18:14:20 -------- d-----w- c:\program files\Runtime Software
2010-11-21 08:04:09 361904 ----a-w- c:\windows\system32\drivers\nis\1108000.005\symtdi.sys
2010-11-21 08:04:09 339504 ----a-w- c:\windows\system32\drivers\nis\1108000.005\symtdiv.sys
2010-11-21 08:04:09 173104 ----a-w- c:\windows\system32\drivers\nis\1108000.005\symefa.sys
2010-11-21 08:04:08 501888 ----a-w- c:\windows\system32\drivers\nis\1108000.005\cchpx86.sys
2010-11-21 08:04:08 43696 ----a-w- c:\windows\system32\drivers\nis\1108000.005\srtspx.sys
2010-11-21 08:04:08 328752 ----a-r- c:\windows\system32\drivers\nis\1108000.005\symds.sys
2010-11-21 08:04:08 325680 ----a-w- c:\windows\system32\drivers\nis\1108000.005\srtsp.sys
2010-11-21 08:04:08 116784 ----a-w- c:\windows\system32\drivers\nis\1108000.005\ironx86.sys
2010-11-21 08:03:52 -------- d-----w- c:\windows\system32\drivers\nis\1108000.005
2010-11-20 22:56:12 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-11-20 22:56:12 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-11-20 22:56:12 -------- d-----w- c:\program files\Symantec
2010-11-20 22:56:12 -------- d-----w- c:\program files\common files\Symantec Shared
2010-11-20 22:55:12 -------- d-----w- c:\windows\system32\drivers\NIS
2010-11-20 22:55:10 -------- d-----w- c:\program files\Norton Internet Security
2010-11-20 22:52:35 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-11-20 22:49:23 -------- d-----w- c:\program files\NortonInstaller
2010-11-20 22:49:23 -------- d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-11-19 16:55:45 -------- d-----w- c:\docume~1\theber~1\applic~1\Malwarebytes
2010-11-19 16:51:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-19 16:51:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-19 16:51:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-19 16:51:50 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-19 15:29:00 0 ----a-w- c:\windows\Aruqapiwe.bin
2010-11-19 15:28:59 -------- d-----w- c:\docume~1\theber~1\locals~1\applic~1\{55DCAE92-2417-4C53-9B6C-900202DFB332}

==================== Find3M ====================

2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HDP725025GLA380 rev.GM2OA5FA -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AB52446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8ab58504]; MOV EAX, [0x8ab58580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8ABB9AB8]
3 CLASSPNP[0xF74E7FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000006a[0x8ABBEF18]
5 ACPI[0xF735E620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AB69940]
\Driver\atapi[0x8ABFF250] -> IRP_MJ_CREATE -> 0x8AB52446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHitachi_HDP725025GLA380_________________GM2OA5FA#5&c872865&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AB52292
user != kernel MBR !!!
sectors 488397166 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 17:11:30.84 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 NeilB

NeilB
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 23 November 2010 - 09:41 PM

Title was: YCemSCI.exe file on desktop what is it and how do I fix my PC? ~ OB

YCemSCI.exe file showed up on my desktop on Friday 11/19. Probably not a coincidence that I also had Security Tool and ThinkPoint infections show up the same day?

I got rid of those (I think) following instructions and using tools from this site (yay !!). But I'm still having issues with the machine including:
- periodic "Generic Host Process for Win32 Services needs to close" errors
- slow opening Internet Explorer windows, often to the point of hanging up forever in a "Connecting..." state and requiring me to reboot.

I ran DDS and GMER as advised in the "Preparation Guide...", the log is below. A rootkit was indicated.
From reading other posts it looks like the next thing I should do is run "TDSSKiller" ? Or should I do "mbr.exe -f" as it says at the bottom of the log?
Please advise. I don't know enough about this stuff to be comfortable moving forward.
Thanks.

DDS log:

DDS (Ver_10-11-10.01) - NTFSx86
Run by The Berrys at 17:09:32.45 on Mon 11/22/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2942.2124 [GMT -5:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Portrait Displays\HP Display Assistant\DTHtml.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\HPLiteSaver.exe
C:\Program Files\NETGEAR\WN111\wn111.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Companion\Installs\cpn1\ytbb.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Documents and Settings\The Berrys\Desktop\Defogger.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\The Berrys\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Page =
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant =
mSearchAssistant =
mCustomizeSearch = hxxp://toolbar.inbox.com/help/sa_customize.aspx?tbid=80229
uURLSearchHooks: N/A: {d3d233d5-9f6d-436c-b6c7-e63f77503b30} - c:\progra~1\inboxt~1\Inbox.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.8.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.8.0.5\IPSBHO.DLL
BHO: : {d3d233d5-9f6d-436c-b6c7-e63f77503b30} - c:\progra~1\inboxt~1\Inbox.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: &Inbox Toolbar: {d7e97865-918f-41e4-9cd0-25ab1c574ce8} - c:\progra~1\inboxt~1\Inbox.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.8.0.5\coIEPlg.dll
EB: {03C1C47F-0538-4645-8372-D3109B9FC636} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Inowobesitefe] rundll32.exe "c:\windows\mpmowpv.dll",Startup
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [DT HWP] c:\program files\portrait displays\hp display assistant\DTHtml.exe -startup_folder
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SetRefresh] c:\program files\compaq\setrefresh\\SetRefresh.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Kkerera] rundll32.exe "c:\windows\asewemululefari.dll",Startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdisp~1.lnk - c:\windows\HPLiteSaver.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wn111\wn111.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo2.walgreens.com/WalgreensActivia.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - c:\progra~1\inboxt~1\Inbox.dll
Notify: AtiExtEvent - Ati2evxx.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1108000.005\symds.sys [2010-11-21 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1108000.005\symefa.sys [2010-11-21 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20101104.001\BHDrvx86.sys [2010-11-4 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1108000.005\cchpx86.sys [2010-11-21 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1108000.005\ironx86.sys [2010-11-21 116784]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.8.0.5\ccsvchst.exe [2010-11-21 126392]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2008-7-19 576536]
R2 SWIHPWMI;SWIHPWMI;c:\program files\hpq\shared\sierra wireless\win32\unicode\SWIHPWMI.exe [2006-12-4 292384]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-11-20 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20101119.001\IDSXpx86.sys [2010-10-19 341880]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20101122.002\NAVENG.SYS [2010-11-22 86064]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20101122.002\NAVEX15.SYS [2010-11-22 1371184]
S3 HP24X;HP PC Card Smart Card Reader;c:\windows\system32\drivers\HP24X.sys [2008-7-19 33024]

=============== Created Last 30 ================

2010-11-22 18:14:20 -------- d-----w- c:\program files\Runtime Software
2010-11-21 08:04:09 361904 ----a-w- c:\windows\system32\drivers\nis\1108000.005\symtdi.sys
2010-11-21 08:04:09 339504 ----a-w- c:\windows\system32\drivers\nis\1108000.005\symtdiv.sys
2010-11-21 08:04:09 173104 ----a-w- c:\windows\system32\drivers\nis\1108000.005\symefa.sys
2010-11-21 08:04:08 501888 ----a-w- c:\windows\system32\drivers\nis\1108000.005\cchpx86.sys
2010-11-21 08:04:08 43696 ----a-w- c:\windows\system32\drivers\nis\1108000.005\srtspx.sys
2010-11-21 08:04:08 328752 ----a-r- c:\windows\system32\drivers\nis\1108000.005\symds.sys
2010-11-21 08:04:08 325680 ----a-w- c:\windows\system32\drivers\nis\1108000.005\srtsp.sys
2010-11-21 08:04:08 116784 ----a-w- c:\windows\system32\drivers\nis\1108000.005\ironx86.sys
2010-11-21 08:03:52 -------- d-----w- c:\windows\system32\drivers\nis\1108000.005
2010-11-20 22:56:12 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-11-20 22:56:12 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-11-20 22:56:12 -------- d-----w- c:\program files\Symantec
2010-11-20 22:56:12 -------- d-----w- c:\program files\common files\Symantec Shared
2010-11-20 22:55:12 -------- d-----w- c:\windows\system32\drivers\NIS
2010-11-20 22:55:10 -------- d-----w- c:\program files\Norton Internet Security
2010-11-20 22:52:35 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-11-20 22:49:23 -------- d-----w- c:\program files\NortonInstaller
2010-11-20 22:49:23 -------- d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-11-19 16:55:45 -------- d-----w- c:\docume~1\theber~1\applic~1\Malwarebytes
2010-11-19 16:51:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-19 16:51:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-19 16:51:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-19 16:51:50 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-19 15:29:00 0 ----a-w- c:\windows\Aruqapiwe.bin
2010-11-19 15:28:59 -------- d-----w- c:\docume~1\theber~1\locals~1\applic~1\{55DCAE92-2417-4C53-9B6C-900202DFB332}

==================== Find3M ====================

2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HDP725025GLA380 rev.GM2OA5FA -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AB52446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8ab58504]; MOV EAX, [0x8ab58580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8ABB9AB8]
3 CLASSPNP[0xF74E7FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000006a[0x8ABBEF18]
5 ACPI[0xF735E620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AB69940]
\Driver\atapi[0x8ABFF250] -> IRP_MJ_CREATE -> 0x8AB52446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHitachi_HDP725025GLA380_________________GM2OA5FA#5&c872865&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AB52292
user != kernel MBR !!!
sectors 488397166 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 17:11:30.84 ===============

Edited by Orange Blossom, 24 November 2010 - 08:22 PM.
Merged topics. ~ OB





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users