Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


antimalware doctor,keeps installing and can't connect to internet

  • This topic is locked This topic is locked
4 replies to this topic

#1 KPM11


  • Members
  • 6 posts
  • Local time:07:20 AM

Posted 14 January 2011 - 11:31 PM


I had an original post but had not run the logs or captures so here goes. None of the rkill versions I have downloaded will run, all give me an error message that is a CRC error and an expected end of file. I could not find a file upload option to attach the attach.zip?

Thanks so much


DDS (Ver_10-12-12.02) - NTFSx86 NETWORK
Run by Administrator at 22:41:29.10 on Fri 01/14/2011
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1751 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=pavilion&pf=laptop
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mURLSearchHooks: H - No File
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - c:\documents and settings\valued customer\local settings\application data\cyberdefender\cdmyidd.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - c:\documents and settings\valued customer\local settings\application data\cyberdefender\cdmyidd.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] nwiz.exe /installquiet /nodetect
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [PDFCreatorClient] "c:\program files\jawssystems\jaws pdf creator\PDFClient.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [SonicWALLNetExtender] c:\program files\sonicwall\ssl-vpn\netextender\NEGui.exe -hideGUI -clearReboot
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\vongot~1.lnk - c:\program files\vongo\Tray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/
DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - hxxps://components.viewpoint.com/MTSInstallers/MetaStream3.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {1791C036-8981-492A-BD28-F2331BC9B7C7} - hxxp://localhost/Support/iPlotLibrary.cab
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1212610628578
DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} - hxxps://vpn.casne.com/NELX.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {C5412DD5-2E2F-11D3-85BF-00105AC8B715} - hxxp://localhost/Support/isAnalogLibrary.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://edsa.webex.com/client/T23L/support/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E29C6B91-3542-4F37-82CE-2BFB7B8933D3} - hxxp://localhost/Support/iProfessionalLibrary.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-10-13 386840]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-1-13 141792]
R3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [2007-10-23 19376]
S1 LUM;LUM;c:\windows\system32\drivers\LUM.sys [2006-6-26 15080]
S2 gupdate1c9f527b8622a14;Google Update Service (gupdate1c9f527b8622a14);c:\program files\google\update\GoogleUpdate.exe [2009-6-24 133104]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 PD91Agent;PD91Agent;c:\program files\raxco\perfectdisk2008\PD91Agent.exe [2008-12-31 693512]
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [2006-6-6 61952]
S3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [2008-3-30 4736]
S3 PD91Engine;PD91Engine;c:\program files\raxco\perfectdisk2008\PD91Engine.exe [2008-12-31 910600]
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [2008-3-30 8960]
S3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\drivers\PTDMBus.sys [2008-6-5 29952]
S3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\drivers\PTDMMdm.sys [2008-6-5 41856]
S3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\drivers\PTDMVsp.sys [2008-6-5 39936]
S3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\drivers\PTDMWWAN.sys [2008-6-5 59520]
S4 IBM License Use Management CR;IBM LUM V5 Central Registry License Server;c:\progra~1\ibm\licens~1\bin\LUMGDB.EXE [2006-6-26 24576]
S4 IBM License Use Management LMD;IBM LUM V5 Network License Server;c:\progra~1\ibm\licens~1\bin\LUMLMD.EXE [2006-6-26 24576]

=============== Created Last 30 ================

2011-01-14 01:29:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-14 01:29:23 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-14 01:29:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-14 01:03:47 141792 ----a-w- c:\windows\system32\mfevtps.exe
2011-01-10 03:08:11 -------- d-----w- C:\spoolerlogs
2010-12-19 22:47:18 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-19 22:45:55 45568 ------w- c:\windows\system32\dllcache\wab.exe

==================== Find3M ====================

2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:34:12 832512 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:34:11 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-11-06 00:34:11 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:34:11 17408 ----a-w- c:\windows\system32\corpol.dll
2010-11-03 12:25:53 389120 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: FUJITSU_ rev.892C -> Harddisk0\DR0 -> \Device\Ide\iaStor0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A9BCEC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x88431872; SUB DWORD [EBP-0x4], 0x8843112e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8A0B8AB8]
3 CLASSPNP[0xF74E7FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000081[0x8A9B1938]
5 ACPI[0xF743E620] -> nt!IofCallDriver[0x804E13B9] -> [0x8AA32030]
[0x8A04CA98] -> IRP_MJ_CREATE -> 0x8A9BCEC5
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x7a; }
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskFUJITSU_MHV2120BH_PL____________________892C____#4&2a90f72b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\iaStor DriverStartIo -> 0x8A9BCAEA
user & kernel MBR OK
sectors 234441646 (+255): user != kernel
Warning: possible TDL3 rootkit infection !

============= FINISH: 22:44:40.50 ===============

GMER - http://www.gmer.net
Rootkit scan 2011-01-14 23:15:01
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\iaStor0 FUJITSU_ rev.892C
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxlcrpog.sys

---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF727A0A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF727A0B8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\compbatt.sys entry point in ".rsrc" section [0xF789D214]
? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)

Device \Driver\iaStor -> DriverStartIo \Device\Ide\iaStor0 8A9BCAEA

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

Device \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskFUJITSU_MHV2120BH_PL____________________892C____#4&2a90f72b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000c7647009f (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000c7647009f (not active ControlSet)
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000c7647009f

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sectors 234441392 (+254): rootkit-like behavior;

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\compbatt.sys suspicious modification; TDL3 <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

Edited by boopme, 15 January 2011 - 10:35 AM.

BC AdBot (Login to Remove)


#2 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:12:20 PM

Posted 19 January 2011 - 06:36 PM


Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 KPM11

  • Topic Starter

  • Members
  • 6 posts
  • Local time:07:20 AM

Posted 19 January 2011 - 10:28 PM

hello m01e

I have been able to solve the problem but thank you for taking the time. I am also interested in providing a donation to bleeping computer and have a post on that if you know how.

#4 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:12:20 PM

Posted 20 January 2011 - 06:19 PM

Thanks for letting me know. Bleeping Computer itself does not take donations but the owner does allow volunteers like myself to link to PayPal in the signature so that individuals can be donated to.
Posted Image
m0le is a proud member of UNITE

#5 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:12:20 PM

Posted 26 January 2011 - 07:47 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users