Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Disabled Services Virus?


  • This topic is locked This topic is locked
2 replies to this topic

#1 PM5K

PM5K

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:32 AM

Posted 26 September 2011 - 02:03 PM

First here is my original thread.

Windows 7, I have an issue with services not starting, including firewall, networking, event log, Windows Update, and more.

Here are my logs, thanks in advance.

GMER:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-25 23:34:51
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9250315AS rev.0001SDM1
Running: 2r63phl0.exe; Driver: C:\Users\User\AppData\Local\Temp\kxldapob.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A7E579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AA2F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
PAGE peauth.sys 97565BEC 111 Bytes [2E, F5, 8D, EA, 22, CA, 66, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Real\RealPlayer\Update\realsched.exe[1880] kernel32.dll!SetUnhandledExceptionFilter 757E3142 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe[1700] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateThread] [0044C85C] C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe (IObit Malware Fighter Service/IObit)
IAT C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe[1700] @ C:\Windows\system32\shell32.dll [KERNEL32.dll!QueueUserWorkItem] [0044CA60] C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe (IObit Malware Fighter Service/IObit)
IAT C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe[1700] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [0044C85C] C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe (IObit Malware Fighter Service/IObit)
IAT C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe[1700] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem] [0044CA60] C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe (IObit Malware Fighter Service/IObit)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004f halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


DDS:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385
Run by User at 13:56:29 on 2011-09-26
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2943.2219 [GMT -5:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
C:\Windows\System32\svchost.exe -k Akamai
C:\Windows\system32\lxbscoms.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Windows\system32\PnkBstrA.exe
C:\Program Files\Roozz\RoozzHelper.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\McAfee Security Scan\2.1.121\SSScheduler.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.search-results.com?o=41647951&l=dis
uSearch Bar = hxxp://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60475
mStart Page = hxxp://www.bigseekpro.com/pivotstickfigure/{F5F35B0B-FA06-4451-B2DF-EE1EF649D26F}
uInternet Settings,ProxyOverride = <local>;*.local
uURLSearchHooks: ToolbarURLSearchHook Class: {ca3eb689-8f09-4026-aa10-b9534c691ce0} - c:\program files\pivot stickfigure toolbar\tbhelper.dll
mURLSearchHooks: OurWorld.com Toolbar: {80f6f9bf-9fd1-4f41-9ddf-6dd070f4f62f} - c:\program files\ourworld.com\tbOur1.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: MediaBar: {0974ba1e-64ec-11de-b2a5-e43756d89593} - c:\progra~1\bearsh~1\mediabar\toolbar\BearshareMediabarDx.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: MediaBar: {28387537-e3f9-4ed7-860c-11e69af4a8a0} - c:\progra~1\imesha~1\mediabar\toolbar\imeshdtxmltbpi.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: OurWorld.com Toolbar: {80f6f9bf-9fd1-4f41-9ddf-6dd070f4f62f} - c:\program files\ourworld.com\tbOur1.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: DCA BHO: {b49699fc-1665-4414-a1cb-c4a2a4a13eec} - c:\program files\common files\freecause\dca\dca-bho.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Shop to Win 8: {dac028c6-2a41-4730-b91f-dfbcb26c82b3} - c:\program files\shop to win 8\ShoppingBHO.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: NetAssistantBHO Class: {e38fa08e-f56a-4169-abf5-5c71e3c153a1} - c:\program files\freeze.com\my.freeze.com netassistant\NetAssistant.dll
BHO: SMTTB2009 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\pivot stickfigure toolbar\tbcore3.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers\YontooIEClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: OurWorld.com Toolbar: {80f6f9bf-9fd1-4f41-9ddf-6dd070f4f62f} - c:\program files\ourworld.com\tbOur1.dll
TB: {98279C38-DE4B-4bcf-93C9-8EC26069D6F4} - No File
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
TB: MediaBar: {0974ba1e-64ec-11de-b2a5-e43756d89593} - c:\progra~1\bearsh~1\mediabar\toolbar\BearshareMediabarDx.dll
TB: MediaBar: {28387537-e3f9-4ed7-860c-11e69af4a8a0} - c:\progra~1\imesha~1\mediabar\toolbar\imeshdtxmltbpi.dll
TB: Pivot Stickfigure Toolbar: {338b4dfe-2e2c-4338-9e41-e176d497299e} - c:\program files\pivot stickfigure toolbar\tbcore3.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Google Update] "c:\users\user\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [MediaGet2] c:\users\user\appdata\local\mediaget2\mediaget.exe --minimized
uRun: [EADM] "c:\program files\origin\Origin.exe" -AutoStart
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunServices: [SetupClientLauncher] c:\users\user\downloads\setup (1).exe
StartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\kuma_t~1.lnk - c:\program files\kuma games\kgsystray\Kuma_tray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.1.121\SSScheduler.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Search
IE: Translate this web page with Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Action.htm
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {4944924A-64E4-49C1-AC97-ABA3927262FE} - hxxp://channel.dontblynk.com/Launcher/StWbUsa.CAB
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_5.0.31.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{22CB3473-7101-4FCC-BD16-B2EDB3561F93} : DhcpNameServer = 192.168.1.1
AppInit_DLLs: c:\windows\system32\nvinit.dll
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-13 20992]
R2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2011-6-28 821080]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-9-10 366640]
R2 Roozz Helper;Roozz Helper;c:\program files\roozz\RoozzHelper.exe [2011-8-7 33792]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-11-8 22712]
R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclock.sys [2009-9-15 38248]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-3 136176]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-9-3 136176]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.1.121\McCHSvc.exe [2010-9-3 227232]
S3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2009-6-10 657408]
S3 npggsvc;nProtect GameGuard Service; [x]
.
=============== Created Last 30 ================
.
2011-08-28 00:54:10 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
.
==================== Find3M ====================
.
2011-07-23 04:39:57 1 ----a-w- c:\windows\system32\SI.bin
.
============= FINISH: 13:57:18.38 ===============



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,222 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:32 AM

Posted 01 October 2011 - 09:12 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Please let me know if the problem persists.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,222 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:32 AM

Posted 05 October 2011 - 01:23 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users