Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan problem


  • This topic is locked This topic is locked
21 replies to this topic

#1 bryanrutgers

bryanrutgers

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 10 December 2010 - 06:22 PM

Wife's computer was having redirect issues using internet when clicking on links. Also taskbars on Office and Firefox were not right they looked like the old school windows bars. The computer was also very slow. She allowed ad-aware to remove several files although she says most looked like it was in the cookies category. She completed recommended actions and rebooted computer. Ad-aware then popped up again and did a scan in the background. There were some programs that froze at this point. She asked for my help. Ad-aware didn't remove anything but cookies this time. When I restarted it gave me an error about not finding csrss.exe I also found winlogon.exe and rundll32.exe to be running processes but not able to be ended. I assumed these are part of my problem and also assumed the problem being a trojan of some kind.

I ran the DDS program. Then ran the GMER program it quickly caused the computer to crash -- blue screen -- memory issue. Rebooted in safe mode. GMER then ran fine.

After removal of malware/virus/trojan I plan to format and reload windows. It is a vista machine. I do not have a startup disc for it. Not really sure how to go about reloading windows so it if info could be given on how to do that when this is all done that would be great. I tried doing this already but I don't have a recovery disc. The computer is an emachines. I never made a disc and now it won't let me. If I try to make one the program freezes even if I try in safe mode.

I am running MBAM.


I need this fixed ASAP so I am going to continue doing some things. I know enough to not mess anything up too bad. I will edit and include any changes that occur. I understand this site is volunteer and there is lots of people asking for help.


DDS (Ver_10-12-05.01) - NTFSx86
Run by Riss at 17:49:02.97 on Fri 12/10/2010
Internet Explorer: 8.0.6001.18975 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1790.760 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\EMACHINES\eMachines Recovery Management\eRecovery\HidChk.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\bin32\nSvcAppFlt.exe
C:\Program Files\bin32\nSvcIp.exe
c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Maxtor\OneTouch Status\MaxMenuMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\InstallShield Installation Information\{7F811A54-5A09-4579-90E1-C93498E230D9}\setup.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
C:\Program Files\EMACHINES\eMachines Recovery Management\eRecovery\HidChk.exe
C:\Program Files\InstallShield Installation Information\{7F811A54-5A09-4579-90E1-C93498E230D9}\setup.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\EMACHINES\eMachines Recovery Management\eRecovery\eRecoveryMain.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Riss\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.yahoo.com
uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=1006&m=el1210-09
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.yahoo.com
mDefault_Page_URL = hxxp://www.yahoo.com
uInternet Settings,ProxyServer = http=127.0.0.1:54323
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
uWinlogon: Shell=explorer.exe,c:\users\riss\appdata\roaming\dwm.exe
uWindows: Load=c:\users\riss\appdata\local\temp\csrss.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Verizon Broadband Toolbar: {a057a204-bacc-4d26-8398-26fadcf27386} - c:\progra~1\verizo~1\VERIZO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: Verizon Broadband Toolbar: {a057a204-bacc-4d26-8398-26fadcf27386} - c:\progra~1\verizo~1\VERIZO~1.DLL
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [eRecoveryService]
mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
mRun: [VerizonServicepoint.exe] "c:\program files\verizon\vsp\VerizonServicepoint.exe" /AUTORUN
mRun: [SmartAccess AutoStart] "c:\program files\verizon\fios\smartaccess\FIOS.exe" /file:///C:/Program Files/Verizon/FiOS/sscommon/common/snapins/shell/ss_shell.htm ""
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
StartupFolder: c:\users\riss\appdata\roaming\microsoft\windows\start menu\programs\startup\chkntfs.exe
StartupFolder: c:\users\riss\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {B58926D6-CFB0-45d2-9C28-4B5A0F0368AE} - {7A3D6D17-9DD5-4C60-8076-D1784DABAF8C} - c:\program files\clickpotatolite\bin\10.0.523.0\ClickPotatoLiteSABHO.dll
LSP: %SYSTEMROOT%\system32\nvLsp.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\riss\appdata\roaming\mozilla\firefox\profiles\cyxiswnb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Amazon.com
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 54323
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ClickPotatoLiteSA.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\program files\verizon\vsp\nprpspa.dll
FF - plugin: c:\users\riss\appdata\local\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\users\riss\appdata\roaming\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\riss\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\users\riss\appdata\roaming\mozilla\plugins\npatgpc.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\users\riss\appdata\roaming\mozilla\firefox\profiles\cyxiswnb.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\users\riss\appdata\roaming\mozilla\firefox\profiles\cyxiswnb.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Extension: vShare: vshare@toolbar - c:\users\riss\appdata\roaming\mozilla\firefox\profiles\cyxiswnb.default\extensions\vshare@toolbar
FF - Extension: Move Media Player: moveplayer@movenetworks.com - c:\users\riss\appdata\roaming\Move Networks

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-9-7 64288]
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\ipsdefs\20101202.001\IDSvix86.sys [2010-12-8 287792]
R2 ETService;Empowering Technology Service;c:\program files\emachines\emachines recovery management\service\ETService.exe [2006-10-11 24576]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-2-17 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-31 102448]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-9-4 43552]
R3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-9-4 1245064]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2009-2-19 41008]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-14 136176]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-12 1375992]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-11 23888]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-9-4 30192]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15264]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-11-24 09:40:35 7680 ----a-w- c:\program files\internet explorer\iecompat.dll
2010-11-10 23:43:25 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat

==================== Find3M ====================

2010-09-20 09:25:01 231936 ----a-w- c:\windows\system32\msshsq.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6001 Disk: ST316081 rev.4.AA -> Harddisk0\DR0 ->

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x86268555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8626e7b0]; MOV EAX, [0x8626e82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x824C805F] -> \Device\Harddisk0\DR0[0x85BC5AC8]
3 CLASSPNP[0x82FA4745] -> ntkrnlpa!IofCallDriver[0x824C805F] -> [0x848C24F0]
5 acpi[0x806106A0] -> ntkrnlpa!IofCallDriver[0x824C805F] -> [0x8452DB10]
\Driver\nvstor32[0x85DCBB50] -> IRP_MJ_CREATE -> 0x86268555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV DI, 0x5; XOR AX, AX; MOV DL, 0x80; INT 0x13; JAE 0x2d; DEC DI; }
detected disk devices:
\Device\0000005b -> \??\SCSI#Disk&Ven_ST316081&Prod_5AS#4&184b1603&0&010100#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 17:49:57.14 ===============

Attached Files


Edited by bryanrutgers, 11 December 2010 - 09:09 AM.


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:04 PM

Posted 18 December 2010 - 06:06 AM

Hello and welcome to Bleeping Computer :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



Regards,
Georgi :hello:

cXfZ4wS.png


#3 bryanrutgers

bryanrutgers
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 21 December 2010 - 01:23 PM

I don't mean to be a jerk or anything but I included everything that you just asked for in my original post in this thread.


Bryan

#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:04 PM

Posted 22 December 2010 - 12:38 AM

Hi,

If the system has been used after topic creation time we need to take a look at fresh logs. So, please post fresh copies of dds.txt & attach.txt logs.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:04 PM

Posted 29 December 2010 - 03:32 AM

Still needing help?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#6 bryanrutgers

bryanrutgers
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 29 December 2010 - 07:42 PM

I have tried many things since the original post. At first I did nothing because I know the help here is normally great. When B boy posted his first response to this thread the computer had sat unused waiting for a response and directions on what to do. I couldn't wait another week for no response so I went and tried several things myself. I did a scan with Eset and that removed a few things. I reloaded windows vista with the startup discs. This did not fix the problem. But it did allow Norton to remove a few things. I don't remember what these things were. I gave another reinstall of Vista and thought everything was good. Then there were several times that I got a blue screen of death. Also during this time the redirects from google were back. I reloaded windows again. No more blue screen of death. I came back here to see if there had been any responses. Downloaded DDS ran the scan and posted it below. GMER doesn't work. It freezes I even tried it from Safe mode. I can also no longer scan from eset. I did a MBMA scan and it came up with nothing. I am going to give GMER one more go after posting this. If it works I will post it if not I will check back here soon.

I AM NOT GOING TO TRY ANYTHING ELSE UNTIL I GET INSTRUCTIONS FROM HERE.



DDS (Ver_10-12-12.02) - NTFSx86
Run by Riss at 19:31:16.84 on Wed 12/29/2010
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1790.870 [GMT -5:00]

AV: Norton 360 *Enabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton 360 *Enabled/Outdated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Norton 360 *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\bin32\nSvcAppFlt.exe
C:\Program Files\bin32\nSvcIp.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\ProgramData\Google\Google Toolbar\Update\gtb1FC4.tmp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Riss\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FYK581EH\dds[1].scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=1210&m=el1210-09
uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=1210&m=el1210-09
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=1210&m=el1210-09
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Partner BHO Class: {83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} - c:\programdata\partner\partner.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [TP CfgWiz] "c:\program files\common files\symantec shared\opc\{c86ea115-facd-4aa8-bfa2-398c677d0936}\SymCuw.exe" -G:{2D617065-1C52-4240-B5BC-C0AE12157777} -T:Config -REBOOT
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [eRecoveryService]
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: %SYSTEMROOT%\system32\nvLsp.dll
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

============= SERVICES / DRIVERS ===============

R2 ETService;Empowering Technology Service;c:\program files\emachines\emachines recovery management\service\ETService.exe [2010-12-29 24576]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-2-17 149352]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-8-12 43552]
R3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-8-12 1245064]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-8-12 30192]
S3 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\ipsdefs\20080215.001\IDSvix86.sys [2008-8-12 261680]

=============== Created Last 30 ================

2010-12-29 22:59:22 -------- d-----w- c:\users\riss\appdata\roaming\Malwarebytes
2010-12-29 22:59:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-29 22:58:59 -------- d-----w- c:\progra~2\Malwarebytes
2010-12-29 22:58:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-29 22:58:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-29 22:17:28 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-12-29 22:17:20 -------- d-----w- c:\program files\Panda Security
2010-12-29 22:05:05 -------- d-----w- c:\users\riss\appdata\roaming\Symantec
2010-12-29 21:59:23 487424 ----a-w- c:\windows\system32\INT15.dll
2010-12-29 21:59:22 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-12-29 21:59:11 98304 ----a-w- c:\windows\system32\cabview.dll
2010-12-29 21:58:38 17952 ----a-w- c:\windows\system32\drivers\int15_64.sys
2010-12-29 21:58:38 15392 ----a-w- c:\windows\system32\drivers\int15.sys
2010-12-29 21:58:04 -------- d-----w- c:\program files\EMACHINES
2010-12-29 21:57:30 -------- d-----w- c:\users\riss\appdata\local\Google
2010-12-29 21:55:11 -------- d-----w- c:\progra~2\Partner
2010-12-29 21:55:03 -------- d-----w- c:\program files\eBay
2010-12-29 21:54:07 -------- d-----w- c:\users\riss\appdata\local\VirtualStore
2010-12-29 21:50:57 2421760 ----a-w- c:\windows\system32\wucltux.dll
2010-12-29 21:50:45 87552 ----a-w- c:\windows\system32\wudriver.dll
2010-12-29 21:50:32 33792 ----a-w- c:\windows\system32\wuapp.exe
2010-12-29 21:50:32 171608 ----a-w- c:\windows\system32\wuwebv.dll

==================== Find3M ====================


============= FINISH: 19:31:40.53 ===============

Attached Files



#7 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:04 PM

Posted 30 December 2010 - 02:34 AM

Hi,

Is Norton license still valid?

I can also no longer scan from eset.

What happens when you try to do it?

Any other issues left?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#8 bryanrutgers

bryanrutgers
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 30 December 2010 - 11:37 AM

Still have redirect issues. Maybe?? Not this morning yesterday yes.


Norton liscense valid.


This morning Eset is working. I will post what I find from that and try GMER again when Eset is done.

#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:04 PM

Posted 30 December 2010 - 11:47 AM

Hi,

Ok. Since Norton license is valid please update Norton then.


Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log in your reply.

Edited by Blade81, 30 December 2010 - 11:47 AM.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#10 bryanrutgers

bryanrutgers
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 30 December 2010 - 02:03 PM

Thanks for the help to this point. For the first time in 2 weeks I have faith that this will get fixed.



Norton updated.




MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 1 (build 6001), 32-bit
Base Board Manufacturer: eMachines
BIOS Manufacturer: Phoenix Technologies, LTD
System Manufacturer: eMachines
System Product Name: EL1210-09
Logical Drives Mask: 0x000000dc

Kernel Drivers (total 155):
0x81E3B000 \SystemRoot\system32\ntkrnlpa.exe
0x81E08000 \SystemRoot\system32\hal.dll
0x80404000 \SystemRoot\system32\kdcom.dll
0x8040C000 \SystemRoot\system32\PSHED.dll
0x8041D000 \SystemRoot\system32\BOOTVID.dll
0x80425000 \SystemRoot\system32\CLFS.SYS
0x80466000 \SystemRoot\system32\CI.dll
0x80546000 \SystemRoot\system32\drivers\Wdf01000.sys
0x805C2000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8060A000 \SystemRoot\system32\drivers\acpi.sys
0x80650000 \SystemRoot\system32\drivers\WMILIB.SYS
0x80659000 \SystemRoot\system32\drivers\msisadrv.sys
0x80661000 \SystemRoot\system32\drivers\pci.sys
0x80688000 \SystemRoot\System32\drivers\partmgr.sys
0x80697000 \SystemRoot\system32\drivers\volmgr.sys
0x806A6000 \SystemRoot\System32\drivers\volmgrx.sys
0x806F0000 \SystemRoot\system32\drivers\pciide.sys
0x806F7000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x80705000 \SystemRoot\System32\drivers\mountmgr.sys
0x80715000 \SystemRoot\system32\drivers\pavboot.sys
0x8071B000 \SystemRoot\system32\drivers\atapi.sys
0x80723000 \SystemRoot\system32\drivers\ataport.SYS
0x80741000 \SystemRoot\system32\DRIVERS\nvstor32.sys
0x80765000 \SystemRoot\system32\DRIVERS\storport.sys
0x807A6000 \SystemRoot\system32\drivers\fltmgr.sys
0x807D8000 \SystemRoot\system32\drivers\fileinfo.sys
0x807E8000 \SystemRoot\System32\Drivers\PxHelp20.sys
0x86E0C000 \SystemRoot\System32\Drivers\ksecdd.sys
0x86E7D000 \SystemRoot\system32\drivers\ndis.sys
0x86F88000 \SystemRoot\system32\drivers\msrpc.sys
0x86FB3000 \SystemRoot\system32\drivers\NETIO.SYS
0x8700F000 \SystemRoot\System32\drivers\tcpip.sys
0x870F6000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8720B000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8731A000 \SystemRoot\system32\drivers\volsnap.sys
0x87353000 \SystemRoot\System32\Drivers\spldr.sys
0x8735B000 \SystemRoot\System32\Drivers\mup.sys
0x8736A000 \SystemRoot\System32\drivers\ecache.sys
0x87391000 \SystemRoot\system32\drivers\disk.sys
0x873A2000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x873C3000 \SystemRoot\system32\drivers\crcdisk.sys
0x873E3000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x873EE000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x87135000 \SystemRoot\system32\DRIVERS\amdk8.sys
0x873F7000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x87200000 \SystemRoot\system32\DRIVERS\nvsmu.sys
0x87145000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x8714F000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8718D000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8719C000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x871AE000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x87208000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0x8A60B000 \SystemRoot\system32\DRIVERS\nvmfdx32.sys
0x8A80C000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x8AF2C000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8AFCB000 \SystemRoot\System32\drivers\watchdog.sys
0x8B20C000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0x8B332000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8B334000 \SystemRoot\system32\drivers\modem.sys
0x8B341000 \SystemRoot\system32\DRIVERS\ohci1394.sys
0x8B351000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
0x8B35F000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8B38D000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8B398000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8B3AF000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8B3BA000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8B3DD000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8B3EC000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8AFD8000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8AFED000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8B200000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8A800000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8AFFD000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8A708000 \SystemRoot\system32\DRIVERS\ks.sys
0x8A732000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8A73C000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8A749000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8A77D000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8B401000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x8B60D000 \SystemRoot\system32\drivers\portcls.sys
0x8B63A000 \SystemRoot\system32\drivers\drmk.sys
0x8B65F000 \SystemRoot\system32\drivers\nvhda32v.sys
0x8B66D000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8B676000 \SystemRoot\System32\Drivers\Null.SYS
0x8B67D000 \SystemRoot\System32\Drivers\Beep.SYS
0x8B6A0000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x8B6A7000 \SystemRoot\System32\drivers\vga.sys
0x8B6B3000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8B6D4000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8B6DC000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8B6E4000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8B6EF000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8B6FD000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8B706000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8B71C000 \SystemRoot\System32\Drivers\SYMTDI.SYS
0x8B749000 \??\C:\Windows\system32\Drivers\SYMEVENT.SYS
0x8B76E000 \SystemRoot\System32\Drivers\SYMREDRV.SYS
0x8B772000 \SystemRoot\System32\Drivers\SYMDNS.SYS
0x8B774000 \SystemRoot\System32\Drivers\SYMNDISV.SYS
0x8B781000 \SystemRoot\System32\Drivers\SYMFW.SYS
0x8B797000 \SystemRoot\system32\DRIVERS\smb.sys
0x8B7AB000 \SystemRoot\system32\drivers\afd.sys
0x8A78E000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8B7F3000 \SystemRoot\system32\drivers\ws2ifsl.sys
0x8B684000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8A7C9000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8A7D7000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8A7EA000 \SystemRoot\System32\Drivers\SRTSPX.SYS
0x8C071000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8C0AD000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8C0B7000 \??\C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20101215.001\IDSvix86.sys
0x8C100000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0x8C15E000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x8C175000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x8C17E000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x8C18E000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0x8C1AB000 \SystemRoot\System32\Drivers\dfsc.sys
0x8C1C2000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x8C1CB000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x8C1D3000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x8C1E5000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8C1F2000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0x871C6000 \SystemRoot\System32\Drivers\dump_nvstor32.sys
0x92000000 \SystemRoot\System32\win32k.sys
0x8A7F4000 \SystemRoot\System32\drivers\Dxapi.sys
0x873CC000 \SystemRoot\system32\DRIVERS\monitor.sys
0x92220000 \SystemRoot\System32\TSDDD.dll
0x92240000 \SystemRoot\System32\cdd.dll
0x87111000 \SystemRoot\system32\drivers\luafv.sys
0x9AA0B000 \SystemRoot\system32\drivers\spsys.sys
0x9AABA000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x9AACA000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x9AADD000 \SystemRoot\system32\drivers\HTTP.sys
0x9AB48000 \??\C:\Windows\system32\drivers\CO_Mon.sys
0x9AB50000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x9AB6D000 \SystemRoot\system32\DRIVERS\bowser.sys
0x9AB86000 \SystemRoot\System32\drivers\mpsdrv.sys
0x9AB9B000 \SystemRoot\system32\drivers\mrxdav.sys
0x9ABBB000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x9CE02000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x9CE3B000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x9CE53000 \SystemRoot\System32\DRIVERS\srv2.sys
0x9CE7A000 \SystemRoot\System32\DRIVERS\srv.sys
0x9CEC6000 \??\C:\Windows\system32\drivers\int15.sys
0x9CECD000 \SystemRoot\system32\drivers\peauth.sys
0x9CFAB000 \SystemRoot\System32\Drivers\secdrv.SYS
0x9CFB5000 \SystemRoot\System32\drivers\tcpipreg.sys
0x9CFC1000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x9CFD6000 \SystemRoot\system32\DRIVERS\WUDFPf.sys
0x9F60E000 \SystemRoot\System32\Drivers\SRTSP.SYS
0x9F7B6000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x9F657000 \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20101230.003\NAVEX15.SYS
0x9F7A2000 \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20101230.003\NAVENG.SYS
0x8C000000 \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
0x775A0000 \Windows\System32\ntdll.dll

Processes (total 70):
0 System Idle Process
4 System
440 C:\Windows\System32\smss.exe
508 csrss.exe
552 C:\Windows\System32\wininit.exe
560 csrss.exe
612 C:\Windows\System32\services.exe
636 C:\Windows\System32\winlogon.exe
664 C:\Windows\System32\lsass.exe
672 C:\Windows\System32\lsm.exe
832 C:\Windows\System32\svchost.exe
884 C:\Windows\System32\nvvsvc.exe
912 C:\Windows\System32\svchost.exe
1024 C:\Windows\System32\svchost.exe
1128 C:\Windows\System32\svchost.exe
1148 C:\Windows\System32\svchost.exe
1220 C:\Windows\System32\audiodg.exe
1252 C:\Windows\System32\SLsvc.exe
1284 C:\Windows\System32\svchost.exe
1396 C:\Windows\System32\svchost.exe
1444 C:\Windows\System32\rundll32.exe
1648 C:\Windows\System32\spoolsv.exe
1676 C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
1908 C:\Windows\System32\svchost.exe
900 C:\Windows\System32\taskeng.exe
1308 C:\Windows\System32\agrsmsvc.exe
1416 C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
684 C:\Windows\System32\svchost.exe
1204 C:\Windows\System32\svchost.exe
1136 C:\Windows\System32\svchost.exe
1936 C:\Windows\System32\SearchIndexer.exe
2096 C:\Program Files\bin32\nSvcAppFlt.exe
2176 C:\Program Files\bin32\nSvcIp.exe
2208 WUDFHost.exe
2732 C:\Windows\System32\dwm.exe
2856 C:\Windows\System32\taskeng.exe
2880 C:\Windows\explorer.exe
3364 C:\Windows\System32\rundll32.exe
3380 C:\Windows\RtHDVCpl.exe
3464 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
3472 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
3484 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
3492 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
3632 C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
2052 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
948 C:\Program Files\Internet Explorer\ieuser.exe
2536 C:\Program Files\Internet Explorer\iexplore.exe
3796 C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
2512 C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
3800 C:\Program Files\Norton 360\ScanStub.exe
3516 C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
3288 C:\Program Files\Symantec\LiveUpdate\LUALL.EXE
3884 C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
3352 C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
3196 C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
3300 C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
3716 C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
432 WmiPrvSE.exe
3212 C:\Windows\System32\wuauclt.exe
2320 C:\Windows\System32\wbem\WMIADAP.exe
3356 WmiPrvSE.exe
4268 C:\PROGRA~2\Symantec\LIVEUP~1\DOWNLO~1\Updt176\setup.exe
4300 C:\Windows\System32\msiexec.exe
4364 C:\Windows\System32\msiexec.exe
4672 drvinst.exe
4716 C:\Windows\System32\VSSVC.exe
4892 C:\Windows\System32\dllhost.exe
4988 dllhost.exe
5020 dllhost.exe
5052 C:\Users\Riss\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000004`00100000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000014`a0803a00 (NTFS)

PhysicalDrive0 Model Number: ST3160815AS, Rev: 4.AA

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: F9C318645106A4E5B5F02D9F41DA89A2B4CB9CC5


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

#11 bryanrutgers

bryanrutgers
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 30 December 2010 - 05:19 PM

Things seem to be working fine today. Computer seems a little slow but maybe not.


There is an external hard drive normally connected to this CPU it is currently not connected to anything. Could there be malware of some kind on it? How to get that off?

#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:04 PM

Posted 31 December 2010 - 12:50 AM

Hi,

Re-run MBRCheck again.
When prompted, enter Y
Then enter 1 to dump the MBR to physical disk
Now the program will ask you Enter the physical disk number to dump (0-99, -1 to cancel):
Enter 0 and press the Enter key.
Name the dumped file as Dump.dat

Enter -1 to exit

A log file named dump.dat will be located in the same folder as MBRCheck was saved, please zip it up. Then upload the file to this website.

Kindly include a link to this topic in the message. Let me know when you have submitted the file.


What it comes to external drive you could check it with ESET scanner.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#13 bryanrutgers

bryanrutgers
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 31 December 2010 - 11:20 AM

PM Sent. File Sent.


Checked external HD with ESET. Eset found nothing wrong.

#14 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:04 PM

Posted 31 December 2010 - 01:33 PM

Hi,

You sent log file while I was waiting for archived dump.dat file. Did you follow the instructions to create dump.dat file?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#15 bryanrutgers

bryanrutgers
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 02 January 2011 - 07:52 PM

Whoops. Resent what I hope is the right file.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users