Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet and monitor only work in safe mode -- Hijackthis log


  • Please log in to reply
35 replies to this topic

#1 icarusbreathes

icarusbreathes

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 16 October 2011 - 03:42 PM

I've been infected, using Windows Vista Home Basic 32bit and it's caused a couple of things to happen: at first I was getting redirected in google and general slowdown. Then I ran Malwarebytes and cleared a bunch of stuff, downloaded and Microsoft Security Essentials, installed some windows updates, then eventually my internet stopped working altogether. Then my monitor stopped working, saying there was an input timing error. I system restored and it didn't do anything except remove Microsoft Security Essentials basically. I can boot in safe mode 640x800 or whatever, and just now found out I can boot in this safe mode with directory assistance and get a normal resolution. Ran Malwarebytes again, removed 8 things... can now connect to the internet in this safe mode, but I know my computer is far from repaired. Here's a Hijackthis log if it helps.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:41:43 PM, on 10/16/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Users\Josh\Desktop\Maintenance\HijackThis.exe
C:\Windows\system32\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USSMB/1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\prxtbFre0.dll
R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Freecorder - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\prxtbFre0.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\prxtbFre0.dll
O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Freecorder FLV Service] "C:\Program Files\Freecorder\FLVSrvc.exe" /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OQBGAFIARQBFAC0AVgA2AFoASgBBAC0AQgBOADIAWQBRAC0ARgAzAFYAUwBSAC0AVgBXAFMAUgA0AC0AVgBZADcATQBaAA"&"inst=NwA3AC0ANAAyADEANQAzADYAMgA5ADMALQBGAFAAOQArADYALQBCAEEAUgA5AEcAKwAxAC0AVABCADkAKwAyAC0ARgBMACsAOQAtAEYAOQBNACsAMQAtAEYAOQBNADcAQQArADUALQBGADkATQA3AEIAKwAyAC0AWABPADMANgArADEALQBGADkATQA3AEMAKwA1AA"&"prod=90"&"ver=9.0.872
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: PokerTime - {00000000-0000-0000-0000-000000000000} - C:\MicroGaming\Poker\PokerTimeMPP\MPPoker.exe (file missing) (HKCU)
O9 - Extra button: UB - {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - C:\Users\Josh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UB\UB.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: UB - {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} - C:\Users\Josh\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UB\UB.lnk (file missing) (HKCU)
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Users\Josh\AppData\Local\TVersity\Media Server\MediaServer.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8183 bytes

Edit: Moved topic from Vista to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:26 PM

Posted 21 October 2011 - 03:45 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/423782 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 icarusbreathes

icarusbreathes
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 24 October 2011 - 01:08 PM

Still can only boot in this Directory Assistance Safe mode type-thing... quite annoying... attached new attach.txt and GMER log and here is new DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86 DSREPAIR
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_26
Run by Josh at 18:16:10 on 2011-10-22
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3036.1535 [GMT -4:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\AERTSrv.exe
C:\Windows\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PnkBstrB.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Users\Josh\AppData\Local\TVersity\Media Server\MediaServer.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskeng.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll
uURLSearchHooks: H - No File
mURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll
BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRunOnce: [Application Restart #0] c:\program files\windows media player\wmpnscfg.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10v_Plugin.exe -update plugin
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Freecorder FLV Service] "c:\program files\freecorder\FLVSrvc.exe" /run
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [<NO NAME>]
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OQBGAFIARQBFAC0AVgA2AFoASgBBAC0AQgBOADIAWQBRAC0ARgAzAFYAUwBSAC0AVgBXAFMAUgA0AC0AVgBZADcATQBaAA"&"inst=NwA3AC0ANAAyADEANQAzADYAMgA5ADMALQBGAFAAOQArADYALQBCAEEAUgA5AEcAKwAxAC0AVABCADkAKwAyAC0ARgBMACsAOQAtAEYAOQBNACsAMQAtAEYAOQBNADcAQQArADUALQBGADkATQA3AEIAKwAyAC0AWABPADMANgArADEALQBGADkATQA3AEMAKwA1AA"&"prod=90"&"ver=9.0.872
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{8A59DC49-2E3C-4FD2-8C1C-DFEA53EF849C} : DhcpNameServer = 209.18.47.61 209.18.47.62
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\josh\appdata\roaming\mozilla\firefox\profiles\a5y0l05f.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.somethingawful.com/|http://streak.espn.go.com/en/entry
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\users\josh\appdata\roaming\mozilla\firefox\profiles\a5y0l05f.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCoreGecko19.dll
FF - component: c:\users\josh\appdata\roaming\mozilla\firefox\profiles\a5y0l05f.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\program files\byond\bin\npbyond.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbyond.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\id software\quakelive\npquakezero.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\users\josh\appdata\roaming\facebook\npfbplugin_1_0_3.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2009-6-24 81920]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-1-20 21504]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt60.sys [2009-6-24 27648]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-7-18 24652]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-9-22 112128]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-10-18 12:59:26 7269712 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{96a348c5-eef9-4c6a-8834-5cb679ea5229}\mpengine.dll
2011-10-18 12:59:26 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{96a348c5-eef9-4c6a-8834-5cb679ea5229}\offreg.dll
2011-10-16 20:04:53 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
2011-10-16 20:04:53 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2011-10-16 20:04:53 293376 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-16 20:04:53 217088 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-16 20:04:51 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-10-16 20:04:35 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-10-16 20:04:33 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-10-16 20:04:33 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-10-16 20:04:33 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-10-16 20:04:33 238080 ----a-w- c:\windows\system32\oleacc.dll
2011-10-13 00:21:24 -------- d-----w- c:\program files\Microsoft Security Client
2011-10-12 22:36:46 -------- d-----w- c:\users\josh\appdata\roaming\70CC8
2011-10-12 22:36:27 -------- d-----w- c:\users\josh\appdata\roaming\3CB70
2011-10-12 22:36:13 -------- d-----w- c:\users\josh\appdata\roaming\h000ucSS1bDon4m
2011-10-12 22:36:09 -------- d-----w- c:\users\josh\appdata\roaming\u777dEEL8gRqhXw
2011-10-12 22:36:09 -------- d-----w- c:\users\josh\appdata\roaming\cZ9hYYwwjVeItPy
2011-10-12 22:36:08 -------- d-----w- c:\users\josh\appdata\roaming\HTZZqhhYkVrlBtP
2011-10-05 16:54:57 -------- d-----w- c:\users\josh\appdata\roaming\ofRRZZ9hTXwjCeI
2011-10-05 16:54:57 -------- d-----w- c:\users\josh\appdata\roaming\gxxxA11uvS2oF3
2011-10-05 16:53:28 -------- d-----w- c:\users\josh\appdata\roaming\RppmmH55sQ7dE8g
2011-10-05 16:53:28 -------- d-----w- c:\users\josh\appdata\roaming\CXXwwkUUVeOBtP0
2011-10-05 16:48:08 -------- d-----w- c:\users\josh\appdata\roaming\wHH66sWJ7fEL8
2011-10-05 16:48:08 -------- d-----w- c:\users\josh\appdata\roaming\DuuucSS1ibDon4a
2011-10-05 16:40:51 -------- d-----w- c:\users\josh\appdata\roaming\y000uvSS2ib3pG5
2011-10-05 16:40:51 -------- d-----w- c:\users\josh\appdata\roaming\h999hTTjjUekIOx
2011-10-05 09:39:16 -------- d-----w- c:\users\josh\appdata\roaming\vddEEK8ffR
2011-10-05 09:39:16 -------- d-----w- c:\users\josh\appdata\roaming\R999hTTXwjUelB
2011-10-05 08:36:37 -------- d-----w- c:\users\josh\appdata\roaming\ZiibbD33pnGa
2011-10-05 08:36:37 -------- d-----w- c:\users\josh\appdata\roaming\hkkIIVrzzNtx0uS
2011-10-05 08:36:31 -------- d-----w- c:\users\josh\appdata\roaming\QpppmGG5aQJ6WKf
2011-10-05 08:36:30 -------- d-----w- c:\users\josh\appdata\roaming\ETTXXwjUUClIBzN
2011-10-01 17:22:38 -------- d-----w- c:\users\josh\appdata\roaming\hEEK8fRRZ9hX
2011-10-01 17:22:33 -------- d-----w- c:\users\josh\appdata\roaming\m11uuvDD2ob4p
2011-09-26 21:43:02 -------- d-----w- c:\users\josh\appdata\roaming\Ableton
2011-09-26 21:43:02 -------- d-----w- c:\programdata\Ableton
2011-09-26 21:40:04 233472 ----a-w- c:\windows\system32\REX Shared Library.dll
2011-09-26 21:36:30 -------- d-----w- c:\program files\Ableton
.
==================== Find3M ====================
.
2011-10-05 23:32:25 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-09-02 13:39:07 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-01 20:37:49 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-20 17:09:53 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-16 16:15:15 834048 ----a-w- c:\windows\system32\wininet.dll
2011-08-16 14:20:55 389632 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 18:16:36.06 ===============

Attached Files



#4 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:26 PM

Posted 24 October 2011 - 04:42 PM

Based on the Gmer log you have a rootkit on your machine. Until its clean you really shouldnt use the computer and it shouldnt have any connectivity either. If your not sure how to stop connectivity then I would just power it off.
We will use combofix first. There is a guide to read first. You can read through the guide on another machine if you can. Once you are done download combofix to the compromised computer--to the desktop. In Vista right click and run as Admin... you can run combofix in safe mode. Please post the combofix log.

Guide to using Combofix

How Can I Reduce My Risk to Malware?


#5 icarusbreathes

icarusbreathes
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 24 October 2011 - 06:53 PM

Based on the Gmer log you have a rootkit on your machine. Until its clean you really shouldnt use the computer and it shouldnt have any connectivity either. If your not sure how to stop connectivity then I would just power it off.
We will use combofix first. There is a guide to read first. You can read through the guide on another machine if you can. Once you are done download combofix to the compromised computer--to the desktop. In Vista right click and run as Admin... you can run combofix in safe mode. Please post the combofix log.

Guide to using Combofix


Unfortunately I don't have another computer and this computer is essential to my daily living, especially as a student. This Directory Services Repair mode seems to have limited functionality and I've tried to limit activity outside of careful browsing.

I try to run combofix as admin and it doesn't work. At the beginning it says so, then acts like it's scanning or about to start scanning then windows gives an error closing it. Now what?

#6 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:26 PM

Posted 25 October 2011 - 05:26 PM

You mention

Directory Services Repair mode

You want just plain safe mode. Is this what your doing to reach safe mode?

Link to below is here.

Safe mode starts Windows with a limited set of files and drivers. Startup programs do not run in safe mode, and only the basic drivers needed to start Windows are installed.

Safe mode is useful for troubleshooting problems with programs and drivers that might not start correctly, or that might prevent Windows from starting correctly. If a problem does not reappear when you start in safe mode, you can eliminate the default settings and basic device drivers as possible causes. If a recently installed program, device, or driver prevents Windows from running correctly, you can start your computer in safe mode and then remove the program that is causing the problem.


Remove all floppy disks, CDs, and DVDs from your computer, and then restart your computer.
Click the Start button Picture of Start button, click the arrow next to the Lock button Picture of Lock button, and then click Restart.


Do one of the following:


If your computer has a single operating system installed, press and hold the F8 key as your computer restarts. You need to press F8 before the Windows logo appears. If the Windows logo appears, you will need to try again by waiting until the Windows logon prompt appears, and then shutting down and restarting your computer.


If your computer has more than one operating system, use the arrow keys to highlight the operating system you want to start in safe mode, and then press F8.


On the Advanced Boot Options screen, use the arrow keys to highlight the safe mode option you want, and then press ENTER. For more information about options, see Advanced startup options (including safe mode).


Log on to your computer with a user account that has administrator rights.

When your computer is in safe mode, you'll see the words Safe Mode in the corners of the display. To exit safe mode, restart your computer and let Windows start normally.


How Can I Reduce My Risk to Malware?


#7 icarusbreathes

icarusbreathes
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 25 October 2011 - 05:38 PM

I can only boot in 640x800 version of safe mode. If I try booting in anything other than that (which is quite hard to navigate) or Directory Services Repair mode then my monitor messes up, saying the input timing is off and I can't see anything. I assumed that had something to do with the virus because that and any problems I've had with my connection occurred after getting the malware and/or running Malwarebytes or Windows Security Essentials and removing the infections. And doing system restores did nothing except remove Windows Security Essentials.

That's why this infection is so rough to deal with, heh.

#8 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:26 PM

Posted 25 October 2011 - 07:33 PM

On second thought it may be the gameguard .sys thats showing as a rootkit in Gmer. These things can have rootkit like behavior.

Can you, in safe mode change your monitors resolution to 800x600, (just like you would change it normally in Vista via display properties) apply, then reboot normally and see if you have a desktop. Can you run malwarebytes while your in safe mode?

How Can I Reduce My Risk to Malware?


#9 icarusbreathes

icarusbreathes
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 26 October 2011 - 03:10 PM

On second thought it may be the gameguard .sys thats showing as a rootkit in Gmer. These things can have rootkit like behavior.

Can you, in safe mode change your monitors resolution to 800x600, (just like you would change it normally in Vista via display properties) apply, then reboot normally and see if you have a desktop. Can you run malwarebytes while your in safe mode?


I am not able to change the display in the low res safe mode that allows me in, or if I can it does not allow me to boot normally. I can run Malwarebytes in any mode that I can access, which I have done a couple of times... it stopped finding anything the past 2 times I did it. Do you think it's possible that I cleared the infection but damaged a driver or something which is affecting my monitor and occasionally, my internet? When I run Ccleaner it still finds an abnormal amount of registry errors which makes me think I'm still infected in some way.

Edited by icarusbreathes, 26 October 2011 - 03:13 PM.


#10 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:26 PM

Posted 26 October 2011 - 06:15 PM

Lets get another check for any malware and once it all looks good we will go on from there to address the monitor issue. Really, malware wants a working internet connection, without one its pretty useless. Two downloads to get:

1) Please download TDSS Killer.exe and save it to your desktop

Double click to launch the utility. Vista and Windows 7 right click and "run as admin.." After it initializes click the start scan button.

"The utility will automatically select an action (Cure or Delete) for known malcious objects. A suspicious object will be skipped by default."

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

It may ask you to reboot the computer to complete the process. Click on Reboot Now.

If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.

A report can also be found in your Root drive Local Disk © as TDSSKiller.2.4.12.0_02.01.2011_17.32.21_log.txt (name, version, date, time, log.txt)

Please post the log report



2) Download aswMBR to your desktop.

Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
On completion of the scan click save log, save it to your desktop and post in your next reply.

How Can I Reduce My Risk to Malware?


#11 icarusbreathes

icarusbreathes
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 26 October 2011 - 06:43 PM

Logs attached.

I did update with Avast virus definitions but didn't remove the thing MBR found as it wasn't in your instructions.

Attached Files



#12 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:26 PM

Posted 26 October 2011 - 07:11 PM

Forget what i said about it being gameguard. Its not, its a rootkit as you must have seen in the tdsskiller log

Based on the log you have a rootkit on board the machine: My rootkit disclaimer:



You have a rootkit on your machine. They hide malicious files and components from traditional antivirus/antimalware software. Rootkits bury themselves deep in the operating system. Special software is needed to detect and remove them. Even if symptoms are gone and logs are clean its still not a 100% guarantee that your machine is clean once a rootkit has been detected and removed. You should consider a complete reformat/reinstall of Windows as an option.
The best source for information on how to do a reformat/reinstall would be the computer manufacturers website.


To manually clean up the computer with current utilities proceed as follows:

So after you ran tsdsskiller you rebooted your machine? also try running combofix again after the reboot

How Can I Reduce My Risk to Malware?


#13 icarusbreathes

icarusbreathes
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 26 October 2011 - 07:19 PM

Yes, it prompted me to reboot and I did. It did the monitor thing again so I powered off, f8, and came back using the Directory Services thing. Combofix still states at the beginning that access is denied and I must be an administrator even after clicking run as admin.

#14 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:12:26 PM

Posted 26 October 2011 - 07:55 PM

ok good. so i guess you tried booting into the safe mode with networking option.

How Can I Reduce My Risk to Malware?


#15 icarusbreathes

icarusbreathes
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 26 October 2011 - 07:57 PM

Yeah I tried just about every option they gave me, either in the initial f8 screen or the one that gives you more options when your computer detects it was shut off "improperly" (which I had to do due to the monitor issue). It's always the monitor that stops me.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users