Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple infection-Trojan, Rootkit and DOS


  • This topic is locked This topic is locked
28 replies to this topic

#1 hilus

hilus

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:09:36 AM

Posted 17 May 2012 - 08:52 PM

Hello,

Back again, trying to help my father-in-law. Last week, he was suddenly unable to get on-line. After I walked him through verifying his network was up and running normally and making sure it wasn't a hardware /driver issue, I had him scan his system with his cable/internet provider Norton Security Suite. The scan came back clean. That's when he asked me to take the computer home and do what I could. I began scanning and cleaning the system but I think there is still some work to do. I don't think I got it all. Here is what I did, Hope I didn't screw up too much.

I began with a Malwarebytes scan which turned several infected files and Trojans (Can't post because I accidentally deleted the logs.) After a restart I was on-line but the system seemed real sluggish. Scanned with Eset on-line and it found several additional Trojans and a rootkit. Still Sluggish, so I jumped in and ran Defogger, then Combofix which crashed (blue screen and a reboot). Ran TDSSKiller which did something but I can't find the log, only the quarantine, then Rkill and things got better, so I ran Combofix and all seemed well. Did some clean up and ran ccleaner, TFC and SFC /scannow to repair some files that Combofix was unable to repair. Unfortunately, SFC also failed to repair some of the files. Can you please check my gmer and dds logs to see where I went wrong, I still thing there is something going on. Someday I'm going to take your training program so I can really know what I'm doing.

 

Thank you very much for all your help.






DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421

Run by tomstoy3 at 7:21:05 on 2012-05-17

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2047.762 [GMT -4:00]

.

AV: Norton Security Suite *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Norton Security Suite *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

FW: Norton Security Suite *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Windows\system32\svchost.exe -k apphost

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe

C:\Windows\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Norton Security Suite\Engine\4.4.0.12\ccSvcHst.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Program Files\Norton PC Checkup\Engine\2.0.15.91\ccSvcHst.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\PSIService.exe

C:\Program Files\Secunia\PSI\PSIA.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\providerComcast\bin\tgsrvc.exe

C:\Windows\system32\svchost.exe -k iissvcs

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

C:\Windows\system32\WUDFHost.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Windows\system32\DllHost.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Norton Security Suite\Engine\4.4.0.12\ccSvcHst.exe

C:\Program Files\Norton PC Checkup\Engine\2.0.15.91\ccSvcHst.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Secunia\PSI\psi_tray.exe

C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\Explorer.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Norton PC Checkup\Engine\2.0.15.91\SymcPCCULaunchSvc.exe

C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\sdclt.exe

C:\Windows\system32\svchost.exe -k SDRSVC

C:\Windows\System32\svchost.exe -k secsvcs

C:\PROGRA~1\MICROS~2\WksWP.exe

C:\PROGRA~1\MICROS~2\WkDStore.exe

C:\PROGRA~1\MICROS~2\wkgdcach.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.comcast.net/

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\4.4.0.12\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\4.4.0.12\IPSBHO.DLL

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\4.4.0.12\coIEPlg.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

mRun: [RtHDVCpl] RtHDVCpl.exe

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

Trusted Zone: ancestry.com\search

Trusted Zone: comcast.net\www

Trusted Zone: internet

Trusted Zone: mcafee.com

Trusted Zone: mlb.com\boston.redsox

Trusted Zone: toyota.com\www

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab

DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab

DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - hxxp://ec2-174-129-18-125.compute-1.amazonaws.com/intel-systeminfo-api/receivers/FMSI.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{A3D8E5F6-0591-4DE6-8193-AB3E6B86B7F6} : DhcpNameServer = 192.168.1.1

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} -

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Notify: igfxcui - igfxdev.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

.

============= SERVICES / DRIVERS ===============

.

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2012-5-14 28552]

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0404000.00c\symds.sys [2011-10-31 328752]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0404000.00c\symefa.sys [2011-10-31 173176]

R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20120507.001\BHDrvx86.sys [2012-5-10 821880]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0404000.00c\cchpx86.sys [2011-10-31 485512]

R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20120512.001\IDSvix86.sys [2012-5-14 368248]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0404000.00c\ironx86.sys [2011-10-31 116784]

R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0404000.00c\symtdiv.sys [2011-10-31 340088]

R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]

R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\4.4.0.12\ccsvchst.exe [2011-10-31 126400]

R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\norton pc checkup\engine\2.0.15.91\SymcPCCULaunchSvc.exe [2011-11-7 123320]

R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-8-24 2255464]

R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\norton pc checkup\engine\2.0.15.91\ccSvcHst.exe [2011-11-7 126392]

R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2012-5-12 1153368]

R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-10-14 994360]

R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.SYS [2011-3-14 5120]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2011-8-3 379496]

R2 tgsrvc_providercomcast;SupportSoft Repair Service (providercomcast);c:\program files\providercomcast\bin\tgsrvc.exe [2008-5-2 148768]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-13 106104]

R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 APL531;OVT Scanner;c:\windows\system32\drivers\ov550i.sys [2006-7-31 580992]

S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-7-30 79816]

S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-7-30 35272]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-7-30 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-7-30 40552]

S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\comcastspywarescan\ComcastAntiSpyService.exe [2009-6-17 616408]

S4 gupdate1c9955c5edd0e9b;Google Update Service (gupdate1c9955c5edd0e9b);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]

S4 gupdatem;Google Update Service (gupdatem);"c:\program files\google\update\googleupdate.exe" /medsvc --> c:\program files\google\update\GoogleUpdate.exe [?]

.

=============== Created Last 30 ================

.

2012-05-16 07:16:11 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{a000cf6e-f8d7-4c1d-bd44-a7e8da0b4dc5}\offreg.dll

2012-05-15 20:41:34 6734704 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{a000cf6e-f8d7-4c1d-bd44-a7e8da0b4dc5}\mpengine.dll

2012-05-15 00:01:18 -------- d-----w- c:\windows\Microsoft Antimalware

2012-05-14 19:55:04 -------- d-----w- c:\users\tomstoy3\appdata\local\temp

2012-05-14 19:54:19 -------- d-sh--w- C:\$RECYCLE.BIN

2012-05-14 19:36:18 -------- d-----w- C:\ComboFix

2012-05-14 19:06:03 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys

2012-05-14 19:06:00 -------- d-----w- c:\program files\Panda Security

2012-05-14 14:45:28 -------- d-----w- c:\program files\CCleaner

2012-05-14 12:46:04 98816 ----a-w- c:\windows\sed.exe

2012-05-14 12:46:04 518144 ----a-w- c:\windows\SWREG.exe

2012-05-14 12:46:04 256000 ----a-w- c:\windows\PEV.exe

2012-05-14 12:46:04 208896 ----a-w- c:\windows\MBR.exe

2012-05-12 15:03:13 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2012-05-12 15:03:13 -------- d-----w- c:\program files\Spybot - Search & Destroy

2012-05-12 14:15:09 -------- d-----w- C:\TDSSKiller_Quarantine

2012-05-11 19:37:55 -------- d-----w- c:\users\tomstoy3\appdata\local\Secunia PSI

2012-05-11 19:37:05 -------- d-----w- c:\program files\Secunia

2012-05-11 13:29:08 476960 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-05-11 02:35:10 53120 ----a-w- c:\windows\system32\drivers\partmgr.sys

2012-05-11 02:35:08 905600 ----a-w- c:\windows\system32\drivers\tcpip.sys

2012-05-11 02:35:05 983040 ----a-w- c:\program files\windows journal\JNTFiltr.dll

2012-05-11 02:35:05 964608 ----a-w- c:\program files\windows journal\JNWDRV.dll

2012-05-11 02:35:05 936960 ----a-w- c:\program files\common files\microsoft shared\ink\journal.dll

2012-05-11 02:35:05 1404928 ----a-w- c:\program files\common files\microsoft shared\ink\InkObj.dll

2012-05-11 02:35:05 1218048 ----a-w- c:\program files\windows journal\NBDoc.DLL

2012-05-11 02:35:04 47104 ----a-w- c:\program files\windows journal\PDIALOG.exe

2012-05-11 02:34:58 219648 ----a-w- c:\windows\system32\d3d10_1core.dll

2012-05-11 02:34:58 1069056 ----a-w- c:\windows\system32\DWrite.dll

2012-05-11 02:34:57 683008 ----a-w- c:\windows\system32\d2d1.dll

2012-05-11 02:34:57 160768 ----a-w- c:\windows\system32\d3d10_1.dll

2012-05-11 02:34:57 1172480 ----a-w- c:\windows\system32\d3d10warp.dll

2012-05-11 02:34:39 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-05-11 02:34:38 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-05-11 02:34:38 2044928 ----a-w- c:\windows\system32\win32k.sys

.

==================== Find3M ====================

.

2012-05-11 13:28:22 472864 ----a-w- c:\windows\system32\deployJava1.dll

2012-04-04 19:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-02-29 15:11:45 5120 ----a-w- c:\windows\system32\wmi.dll

2012-02-29 15:11:42 172032 ----a-w- c:\windows\system32\wintrust.dll

2012-02-29 15:09:53 157696 ----a-w- c:\windows\system32\imagehlp.dll

2012-02-29 13:32:37 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys

2012-02-28 01:18:55 1799168 ----a-w- c:\windows\system32\jscript9.dll

2012-02-28 01:11:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl

2012-02-28 01:11:07 1127424 ----a-w- c:\windows\system32\wininet.dll

2012-02-28 01:03:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-02-23 14:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe

.

============= FINISH: 7:21:33.73 ===============




GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-05-17 07:01:16
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3 WDC_WD3200AAJS-22B4A0 rev.01.03A01
Running: ih9uf2cq.exe; Driver: C:\Users\tomstoy3\AppData\Local\Temp\afldipog.sys


---- System - GMER 1.0.15 ----

SSDT 86AF3068 ZwAlertResumeThread
SSDT 86B04840 ZwAlertThread
SSDT 86C6ABD0 ZwAllocateVirtualMemory
SSDT 8671B9D8 ZwAlpcConnectPort
SSDT 86B4A8E8 ZwAssignProcessToJobObject
SSDT 86C71DC0 ZwCreateMutant
SSDT 86C75AA0 ZwCreateSymbolicLinkObject
SSDT 86C6B600 ZwCreateThread
SSDT 86B42120 ZwDebugActiveProcess
SSDT 86C6ADE8 ZwDuplicateObject
SSDT 86C6A5F0 ZwFreeVirtualMemory
SSDT 86B18120 ZwImpersonateAnonymousToken
SSDT 86AEF120 ZwImpersonateThread
SSDT 866FB4D0 ZwLoadDriver
SSDT 86C6A4D0 ZwMapViewOfSection
SSDT 86B1C068 ZwOpenEvent
SSDT 86C6B0A8 ZwOpenProcess
SSDT 86AC9118 ZwOpenProcessToken
SSDT 86B39A30 ZwOpenSection
SSDT 86C6AEF8 ZwOpenThread
SSDT 86C74630 ZwProtectVirtualMemory
SSDT 86B01120 ZwResumeThread
SSDT 86AEB110 ZwSetContextThread
SSDT 86C6A278 ZwSetInformationProcess
SSDT 86B3A118 ZwSetSystemInformation
SSDT 86B32068 ZwSuspendProcess
SSDT 86AFD120 ZwSuspendThread
SSDT 86AD6110 ZwTerminateProcess
SSDT 86AF6118 ZwTerminateThread
SSDT 86AE8118 ZwUnmapViewOfSection
SSDT 86C6A900 ZwWriteVirtualMemory
SSDT 86C75EF0 ZwCreateThreadEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 824E47E0 8 Bytes [68, 30, AF, 86, 40, 48, B0, ...] {PUSH 0x4086af30; DEC EAX; MOV AL, 0x86}
.text ntkrnlpa.exe!KeSetEvent + 131 824E47F4 4 Bytes [D0, AB, C6, 86]
.text ntkrnlpa.exe!KeSetEvent + 13D 824E4800 4 Bytes [D8, B9, 71, 86]
.text ntkrnlpa.exe!KeSetEvent + 191 824E4854 4 Bytes CALL DED4FD01
.text ntkrnlpa.exe!KeSetEvent + 1F5 824E48B8 4 Bytes [C0, 1D, C7, 86]
.text ...

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OqenWithList@a ieuser.exe
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OqenWithList@MRUList hbegfacd
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OqenWithList@b iexplore.exe
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OqenWithList@c wksss.exe
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OqenWithList@d WksWP.exe
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OqenWithList@e WINWORD.EXE
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OqenWithList@f EXCEL.EXE
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OqenWithList@g WinMail.exe
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OqenWithList@h soffice.BIN
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OqenWithList\WINWORD.EXE

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,762 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:36 AM

Posted 19 May 2012 - 09:39 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Your DDs log is clean.

I would like to see the log from the aswMBR tool.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

Note: You may be asked if you want to download Avast Free Antivirus I suggest you deny this download unless you do not have any Antivirus protection on the computer.
===

Any issues with this computer at the moment?

#3 hilus

hilus
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:09:36 AM

Posted 21 May 2012 - 07:59 AM

Hi Nasdaq,

Thanks for your help. I downloaded aswMBR as instructed. However when I performed the scan aswMBR crashed. I attempted a full scan on C:/ twice. after the second failed attempt I performed a quick scan and it still crashed. Also when scanning I found that the system got t real slow and seemed to be scanning for more than 8 hours until it crashed. can I perform the scan in safe mode..




Thank you...



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,762 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:36 AM

Posted 21 May 2012 - 08:58 AM

so I ran Combofix and all seemed well. Did some clean up and ran ccleaner, TFC and SFC /scannow to repair some files that Combofix was unable to repair

Please run ComboFix and post a log. You may be requested to update, please do so.

What are the remaining issues with this computer if any?

#5 hilus

hilus
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:09:36 AM

Posted 21 May 2012 - 09:26 AM

Hi nasdaq,




Well I thought things were getting better. A was out of town for the weekend and when I left things seemed better ( was back on line, system seemed to be running faster without pausing between tasks) but now things seem to be getting worse. tried to run aswMBR and it crashed, just tried running combofix and it crashed. told me the installer was corrupted. I restarted the computer and got the blue creen telling me that there was an error and that windows had to restart to prevent damage. also when i start the system there is a long pause after I type in the password and when the desktop comes up. when the desktop finally is up, if I click on a file or program there is a long pause before it comes up. basically there is a log pause when asking the computer do do anything



#6 hilus

hilus
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:09:36 AM

Posted 21 May 2012 - 10:19 AM

Hi nasdaq,

Here is the Combofix log. Seemed to take a long time this go around... Thank You.....

ComboFix 12-05-21.01 - tomstoy3 05/21/2012 10:32:41.6.2 - x86
Running from: c:\users\tomstoy3\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-04-21 to 2012-05-21 )))))))))))))))))))))))))))))))
.
.
2012-05-21 15:00 . 2012-05-21 15:00 -------- d-----w- c:\users\tomstoy3\AppData\Local\temp
2012-05-21 15:00 . 2012-05-21 15:00 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-05-21 15:00 . 2012-05-21 15:00 -------- d-----w- c:\users\Guest\AppData\Local\temp
2012-05-21 15:00 . 2012-05-21 15:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-19 02:00 . 2012-05-19 02:00 -------- d-----w- c:\users\tomstoy3\AppData\Roaming\QuickScan
2012-05-18 18:00 . 2012-05-18 18:00 -------- d-----w- c:\program files\COMODO
2012-05-18 11:16 . 2012-05-18 11:16 -------- d-----w- c:\users\UpdatusUser.TT3EMV
2012-05-18 11:08 . 2012-02-29 23:59 7713088 ----a-w- c:\windows\system32\nvwgf2um.dll
2012-05-18 11:08 . 2012-02-29 23:59 61248 ----a-w- c:\windows\system32\OpenCL.dll
2012-05-18 11:08 . 2012-02-29 23:59 19444544 ----a-w- c:\windows\system32\nvoglv32.dll
2012-05-18 11:08 . 2012-02-29 23:59 5892928 ----a-w- c:\windows\system32\nvcuda.dll
2012-05-18 11:08 . 2012-02-29 23:59 2517312 ----a-w- c:\windows\system32\nvcuvid.dll
2012-05-18 11:08 . 2012-02-29 23:59 2437440 ----a-w- c:\windows\system32\nvcuvenc.dll
2012-05-18 11:08 . 2012-02-29 23:59 15009600 ----a-w- c:\windows\system32\nvd3dum.dll
2012-05-18 11:08 . 2012-02-29 23:59 10819392 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2012-05-18 11:08 . 2012-02-29 23:59 17543488 ----a-w- c:\windows\system32\nvcompiler.dll
2012-05-18 05:55 . 2012-05-08 16:40 6737808 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0BC2CC6E-C6FC-45ED-B7FA-D97034478A58}\mpengine.dll
2012-05-17 18:35 . 2012-05-17 18:35 -------- d-----w- c:\program files\Google
2012-05-17 18:34 . 2012-05-17 18:34 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-17 18:34 . 2012-05-17 18:34 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-15 00:01 . 2012-05-15 00:01 -------- d-----w- c:\windows\Microsoft Antimalware
2012-05-14 19:06 . 2012-05-19 02:48 -------- d-----w- c:\program files\Panda Security
2012-05-14 14:45 . 2012-05-14 14:45 -------- d-----w- c:\program files\CCleaner
2012-05-12 15:03 . 2012-05-14 17:40 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-05-12 15:03 . 2012-05-12 15:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-05-12 14:15 . 2012-05-12 14:15 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-11 19:37 . 2012-05-11 19:37 -------- d-----w- c:\users\tomstoy3\AppData\Local\Secunia PSI
2012-05-11 19:37 . 2012-05-11 19:37 -------- d-----w- c:\program files\Secunia
2012-05-11 13:29 . 2012-05-11 13:28 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-05-11 02:35 . 2012-03-20 23:28 53120 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-11 02:35 . 2012-03-30 12:39 905600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-11 02:35 . 2012-02-01 15:11 1218048 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2012-05-11 02:35 . 2012-02-01 15:10 983040 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2012-05-11 02:35 . 2012-02-01 15:10 964608 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2012-05-11 02:35 . 2012-02-01 15:10 936960 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-11 02:35 . 2012-02-01 15:10 1404928 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\InkObj.dll
2012-05-11 02:35 . 2012-02-01 13:58 47104 ----a-w- c:\program files\Windows Journal\PDIALOG.exe
2012-05-11 02:34 . 2012-03-01 14:46 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-05-11 02:34 . 2012-02-29 13:41 1069056 ----a-w- c:\windows\system32\DWrite.dll
2012-05-11 02:34 . 2012-03-01 14:46 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-05-11 02:34 . 2012-02-29 14:08 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-05-11 02:34 . 2012-02-29 13:44 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-05-11 02:34 . 2012-04-03 08:16 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-11 02:34 . 2012-04-03 08:16 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-11 02:34 . 2012-04-02 13:36 2044928 ----a-w- c:\windows\system32\win32k.sys
2012-05-02 22:30 . 2012-05-02 22:30 -------- d-----w- c:\users\Guest\AppData\Roaming\Malwarebytes
2012-05-02 22:30 . 2012-05-02 22:30 -------- d-----w- c:\users\Guest\AppData\Roaming\Apple Computer
2012-05-02 22:29 . 2012-05-02 22:29 -------- d-----w- c:\users\Guest\AppData\Roaming\Samsung
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-11 13:28 . 2010-07-12 22:30 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-04 19:56 . 2010-05-24 20:36 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-29 23:59 . 2011-08-24 21:09 881984 ----a-w- c:\windows\system32\nvgenco32.dll
2012-02-29 23:59 . 2011-08-24 21:09 1000256 ----a-w- c:\windows\system32\nvdispco32.dll
2012-02-29 23:59 . 2009-09-27 23:12 2301248 ----a-w- c:\windows\system32\nvapi.dll
2012-02-29 20:56 . 2009-09-27 21:46 3881792 ----a-w- c:\windows\system32\nvcpl.dll
2012-02-29 20:55 . 2009-09-27 21:47 2719040 ----a-w- c:\windows\system32\nvsvc.dll
2012-02-29 20:53 . 2009-09-27 21:47 108352 ----a-w- c:\windows\system32\nvmctray.dll
2012-02-29 20:53 . 2009-09-27 21:47 645440 ----a-w- c:\windows\system32\nvvsvc.exe
2012-02-29 20:53 . 2009-09-27 21:47 62272 ----a-w- c:\windows\system32\nvshext.dll
2012-02-29 17:26 . 2012-02-29 17:26 416064 ----a-w- c:\windows\system32\nvStreaming.exe
2012-02-29 15:11 . 2012-04-11 07:14 5120 ----a-w- c:\windows\system32\wmi.dll
2012-02-29 15:11 . 2012-04-11 07:14 172032 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 15:09 . 2012-04-11 07:14 157696 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 13:32 . 2012-04-11 07:14 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-02-28 01:18 . 2012-04-12 07:01 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11 . 2012-04-12 07:01 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11 . 2012-04-12 07:01 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03 . 2012-04-12 07:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-23 14:18 . 2010-05-02 18:11 237072 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-04-23 4435968]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"CDAServer"="c:\program files\Common Files\Common Desktop Agent\CDASrv.exe" [2010-12-17 332288]
.
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-10-14 291896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0PowerRemover.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1839411324-4190511756-3834475105-1000]
"EnableNotificationsRef"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: ancestry.com\search
Trusted Zone: comcast.net\www
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: mlb.com\boston.redsox
Trusted Zone: toyota.com\www
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\SUPERAntiSpyware\SASSEH.DLL
Notify-!SASWinLogon - c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-21 11:00
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.4.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.4.0.12\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCCUJobMgr]
"ImagePath"="\"c:\program files\Norton PC Checkup\Engine\2.0.15.91\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Engine\2.0.15.91\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3876)
c:\windows\System32\NLSData0009.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-05-21 11:03:23
ComboFix-quarantined-files.txt 2012-05-21 15:03
ComboFix2.txt 2012-05-19 02:20
ComboFix3.txt 2012-05-14 19:55
ComboFix4.txt 2012-05-14 14:37
ComboFix5.txt 2012-05-21 14:30
.
Pre-Run: 146,479,427,584 bytes free
Post-Run: 146,510,184,448 bytes free
.
- - End Of File - - CEB228AC272D1F83DBAB443A39EF2F31

#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,762 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:36 AM

Posted 21 May 2012 - 12:21 PM

The DDS reports these security tools as being installed.

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2047.762 [GMT -4:00].

AV: Norton Security Suite *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Security Suite *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Security Suite *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}


I also see traces of Comodo, Panda, Norton....
have these programs been removed?
===

Third party programs if not up to date can be an open door for an infection

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

#8 hilus

hilus
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:09:36 AM

Posted 21 May 2012 - 01:52 PM

Hi Nasdaq,


So I installed some of the programs you listed. Also I mover TDSSKiller, Rkill, aswMBR, gmer, dss, hijackthis to the recycle bin. However some of them, Bit defender and panda don't appear in uninstall programs. I have retained, Spybot, Combofix, Malwarebytes, TFC, CCLeaner. Also when I Downloaded security Checker windows told me it was dangerse and I should delete it. Also Norton security suite is the primary antiviruse that my father in law uses. I'm not a fan but he gets it free from his internet provider. I also noticed it may not be configured correctly. and I didn't know windows firewall and defender were enabled so I disabled the services. Im starting the security check now.

#9 hilus

hilus
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:09:36 AM

Posted 21 May 2012 - 02:11 PM

Here is the security check log.



Results of screen317's Security Check version 0.99.33
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:

WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Spybot - Search & Destroy
Secunia PSI (2.0.0.4003)
CCleaner
Java™ 6 Update 32
Java version out of date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
Spybot Teatimer.exe is disabled!
``````````End of Log````````````

#10 hilus

hilus
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:09:36 AM

Posted 21 May 2012 - 02:13 PM

ok my log didn't post..... try again....

Results of screen317's Security Check version 0.99.33
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:

WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Spybot - Search & Destroy
Secunia PSI (2.0.0.4003)
CCleaner
Java™ 6 Update 32
Java version out of date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
Spybot Teatimer.exe is disabled!
``````````End of Log````````````

#11 hilus

hilus
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:09:36 AM

Posted 21 May 2012 - 02:16 PM

ok I attached it. BTW if some of my posts don't make any sence, its because I came down with the Flu last night. I have a fever of 102. sorry....

Attached Files



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,762 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:36 AM

Posted 22 May 2012 - 07:33 AM

ComboFix was upgraded yesterday.

Delete you current version and download the latest.

Run it and post the log for my review.

Let me know what problem persists.

#13 hilus

hilus
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:09:36 AM

Posted 22 May 2012 - 09:14 AM

Here is the latest combofix log. Oddly combofix rebooted the computer, first time that happened. Issues that still seem to be a problem are that on startup the system seems to be busy for quite a while and I can't do anything for about 5 minutes and I get occasional messages that a file is corrupted. Also I noticed in the combofix log that there are some locked registry keys... is that normal?


Thanks again for all your help....



ComboFix 12-05-22.01 - tomstoy3 05/22/2012 9:01.7.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2047.896 [GMT -4:00]
Running from: c:\users\tomstoy3\Desktop\ComboFix.exe
AV: Norton Security Suite *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Security Suite *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-04-22 to 2012-05-22 )))))))))))))))))))))))))))))))
.
.
2012-05-22 13:11 . 2012-05-22 13:58 -------- d-----w- c:\users\tomstoy3\AppData\Local\temp
2012-05-22 13:11 . 2012-05-22 13:11 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-05-22 13:11 . 2012-05-22 13:11 -------- d-----w- c:\users\Guest\AppData\Local\temp
2012-05-22 13:11 . 2012-05-22 13:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-21 18:43 . 2012-05-21 18:43 -------- d-----w- c:\users\tomstoy3\AppData\Roaming\ieSpell
2012-05-21 18:40 . 2012-05-21 18:40 -------- d-----w- c:\program files\ieSpell
2012-05-19 02:00 . 2012-05-19 02:00 -------- d-----w- c:\users\tomstoy3\AppData\Roaming\QuickScan
2012-05-18 11:16 . 2012-05-18 11:16 -------- d-----w- c:\users\UpdatusUser.TT3EMV
2012-05-18 11:08 . 2012-02-29 23:59 7713088 ----a-w- c:\windows\system32\nvwgf2um.dll
2012-05-18 11:08 . 2012-02-29 23:59 61248 ----a-w- c:\windows\system32\OpenCL.dll
2012-05-18 11:08 . 2012-02-29 23:59 19444544 ----a-w- c:\windows\system32\nvoglv32.dll
2012-05-18 11:08 . 2012-02-29 23:59 5892928 ----a-w- c:\windows\system32\nvcuda.dll
2012-05-18 11:08 . 2012-02-29 23:59 2517312 ----a-w- c:\windows\system32\nvcuvid.dll
2012-05-18 11:08 . 2012-02-29 23:59 2437440 ----a-w- c:\windows\system32\nvcuvenc.dll
2012-05-18 11:08 . 2012-02-29 23:59 15009600 ----a-w- c:\windows\system32\nvd3dum.dll
2012-05-18 11:08 . 2012-02-29 23:59 10819392 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2012-05-18 11:08 . 2012-02-29 23:59 17543488 ----a-w- c:\windows\system32\nvcompiler.dll
2012-05-18 05:55 . 2012-05-08 16:40 6737808 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0BC2CC6E-C6FC-45ED-B7FA-D97034478A58}\mpengine.dll
2012-05-17 18:35 . 2012-05-17 18:35 -------- d-----w- c:\program files\Google
2012-05-17 18:34 . 2012-05-17 18:34 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-17 18:34 . 2012-05-17 18:34 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-15 00:01 . 2012-05-15 00:01 -------- d-----w- c:\windows\Microsoft Antimalware
2012-05-14 19:06 . 2012-05-19 02:48 -------- d-----w- c:\program files\Panda Security
2012-05-14 14:45 . 2012-05-14 14:45 -------- d-----w- c:\program files\CCleaner
2012-05-12 15:03 . 2012-05-14 17:40 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-05-12 15:03 . 2012-05-12 15:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-05-12 14:15 . 2012-05-12 14:15 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-11 19:37 . 2012-05-11 19:37 -------- d-----w- c:\users\tomstoy3\AppData\Local\Secunia PSI
2012-05-11 19:37 . 2012-05-11 19:37 -------- d-----w- c:\program files\Secunia
2012-05-11 13:29 . 2012-05-11 13:28 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-05-11 02:35 . 2012-03-20 23:28 53120 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-11 02:35 . 2012-03-30 12:39 905600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-11 02:35 . 2012-02-01 15:11 1218048 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2012-05-11 02:35 . 2012-02-01 15:10 983040 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2012-05-11 02:35 . 2012-02-01 15:10 964608 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2012-05-11 02:35 . 2012-02-01 15:10 936960 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-11 02:35 . 2012-02-01 15:10 1404928 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\InkObj.dll
2012-05-11 02:35 . 2012-02-01 13:58 47104 ----a-w- c:\program files\Windows Journal\PDIALOG.exe
2012-05-11 02:34 . 2012-03-01 14:46 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-05-11 02:34 . 2012-02-29 13:41 1069056 ----a-w- c:\windows\system32\DWrite.dll
2012-05-11 02:34 . 2012-03-01 14:46 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-05-11 02:34 . 2012-02-29 14:08 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-05-11 02:34 . 2012-02-29 13:44 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-05-11 02:34 . 2012-04-03 08:16 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-11 02:34 . 2012-04-03 08:16 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-11 02:34 . 2012-04-02 13:36 2044928 ----a-w- c:\windows\system32\win32k.sys
2012-05-02 22:30 . 2012-05-02 22:30 -------- d-----w- c:\users\Guest\AppData\Roaming\Malwarebytes
2012-05-02 22:30 . 2012-05-02 22:30 -------- d-----w- c:\users\Guest\AppData\Roaming\Apple Computer
2012-05-02 22:29 . 2012-05-02 22:29 -------- d-----w- c:\users\Guest\AppData\Roaming\Samsung
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-11 13:28 . 2010-07-12 22:30 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-04 19:56 . 2010-05-24 20:36 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-29 23:59 . 2011-08-24 21:09 881984 ----a-w- c:\windows\system32\nvgenco32.dll
2012-02-29 23:59 . 2011-08-24 21:09 1000256 ----a-w- c:\windows\system32\nvdispco32.dll
2012-02-29 23:59 . 2009-09-27 23:12 2301248 ----a-w- c:\windows\system32\nvapi.dll
2012-02-29 20:56 . 2009-09-27 21:46 3881792 ----a-w- c:\windows\system32\nvcpl.dll
2012-02-29 20:55 . 2009-09-27 21:47 2719040 ----a-w- c:\windows\system32\nvsvc.dll
2012-02-29 20:53 . 2009-09-27 21:47 108352 ----a-w- c:\windows\system32\nvmctray.dll
2012-02-29 20:53 . 2009-09-27 21:47 645440 ----a-w- c:\windows\system32\nvvsvc.exe
2012-02-29 20:53 . 2009-09-27 21:47 62272 ----a-w- c:\windows\system32\nvshext.dll
2012-02-29 17:26 . 2012-02-29 17:26 416064 ----a-w- c:\windows\system32\nvStreaming.exe
2012-02-29 15:11 . 2012-04-11 07:14 5120 ----a-w- c:\windows\system32\wmi.dll
2012-02-29 15:11 . 2012-04-11 07:14 172032 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 15:09 . 2012-04-11 07:14 157696 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 13:32 . 2012-04-11 07:14 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-02-28 01:18 . 2012-04-12 07:01 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11 . 2012-04-12 07:01 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11 . 2012-04-12 07:01 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03 . 2012-04-12 07:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-23 14:18 . 2010-05-02 18:11 237072 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-04-23 4435968]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"CDAServer"="c:\program files\Common Files\Common Desktop Agent\CDASrv.exe" [2010-12-17 332288]
.
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-10-14 291896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0PowerRemover.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1839411324-4190511756-3834475105-1000]
"EnableNotificationsRef"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Trusted Zone: ancestry.com\search
Trusted Zone: comcast.net\www
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: mlb.com\boston.redsox
Trusted Zone: toyota.com\www
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.4.0.12\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.4.0.12\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCCUJobMgr]
"ImagePath"="\"c:\program files\Norton PC Checkup\Engine\2.0.15.91\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Engine\2.0.15.91\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(11140)
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\LINKINFO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\eMachines Games\eMachines Game Console\GameConsoleService.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Norton Security Suite\Engine\4.4.0.12\ccSvcHst.exe
c:\program files\Norton PC Checkup\Engine\2.0.15.91\ccSvcHst.exe
c:\windows\system32\PSIService.exe
c:\program files\Secunia\PSI\PSIA.exe
c:\program files\providerComcast\bin\tgsrvc.exe
c:\program files\Spybot - Search & Destroy\SDWinSec.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\DllHost.exe
c:\program files\Norton PC Checkup\Engine\2.0.15.91\SymcPCCULaunchSvc.exe
c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Norton PC Checkup\Engine\2.0.15.91\ccSvcHst.exe
c:\program files\Norton Security Suite\Engine\4.4.0.12\ccSvcHst.exe
c:\program files\NVIDIA Corporation\Display\nvtray.exe
c:\windows\system32\sdclt.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2012-05-22 10:03:10 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-22 14:02
ComboFix2.txt 2012-05-21 15:03
ComboFix3.txt 2012-05-19 02:20
ComboFix4.txt 2012-05-14 19:55
ComboFix5.txt 2012-05-22 12:59
.
Pre-Run: 146,838,179,840 bytes free
Post-Run: 147,151,400,960 bytes free
.
- - End Of File - - D86564F58D24D7B6994F445BF62FE022

#14 hilus

hilus
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portsmouth, NH
  • Local time:09:36 AM

Posted 22 May 2012 - 09:39 AM

Hi Nasdaq,

I know you didn't ask for this but I'm just worried that I forgot something that I should be telling you. So this is a log from CCleaner under tools>startup>scheduled tasks. So looking at the list, why is a temp file in IE launching pcalua.exe and It seems to be doing something with netsetup? Also E:\ drive is a DVD and I presently have 72 Processes running.

Thanks again....

Yes Task {101FC110-D080-4BB3-9CE7-1F48EBCA4F81} C:\Windows\system32\pcalua.exe -a "C:\Users\tomstoy3\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7HRPHS1S\exview_setup[1].exe" -d C:\Users\tomstoy3\Desktop

Yes Task {49518580-52BD-4CA8-8A3D-9B342631357B} C:\Windows\system32\pcalua.exe -a C:\Users\tomstoy3\Downloads\Irfanview_4x\irfanview_plugins_425_setup.exe -d C:\Users\tomstoy3\Downloads\Irfanview_4x

Yes Task {4A942641-1C9B-4896-A61D-5661B0E7AE3F} C:\Windows\system32\pcalua.exe -a E:\SETUP.EXE -d E:\

Yes Task {632500F9-1D7C-4F22-AB8C-3ADA3C0E67A7} C:\Windows\system32\pcalua.exe -a E:\setup.exe -d E:\

No Task {74467F5A-1613-4180-BF49-9DE7B835030C} C:\Windows\system32\pcalua.exe -a E:\SETUP.EXE -d E:\

Yes Task {807208B6-76DC-4453-A434-EA06F4B5559D} C:\Windows\system32\pcalua.exe -a "C:\Users\tomstoy3\Downloads\2009 Pool Swimmin TMS\pool SS calcularor.exe" -d "C:\Users\tomstoy3\Downloads\2009 Pool Swimmin TMS"

Yes Task {8573BAA7-23FB-4082-AFEE-60FD48B95FBD} C:\Windows\system32\pcalua.exe -a K:\netsetup.exe -d K:\

Yes Task {992601A5-4D1C-4803-8CF4-631926577B3F} C:\Windows\system32\pcalua.exe -a E:\SETUP.EXE -d E:\

Yes Task {BF12EFB3-E052-4412-BFF5-E89BEDE79365} C:\Windows\system32\pcalua.exe -a J:\netsetup.exe -d J:\

Yes Task {D8EB7D91-C618-48F3-A9C1-FEE9337FB219} C:\Windows\system32\pcalua.exe -a "C:\Users\tomstoy3\Documents\TMS_CORI new pool\free dls\000_pool chem help.exe" -d "C:\Users\tomstoy3\Documents\TMS_CORI new pool\free dls"

Yes Task {F202267A-1A6A-4F58-9708-6D23EC8CBD14} C:\Windows\system32\pcalua.exe -a C:\Users\tomstoy3\AppData\Local\Temp\Temp1_tbcwin.zip\SETUP.EXE

Edited by hilus, 22 May 2012 - 09:43 AM.


#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,762 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:36 AM

Posted 22 May 2012 - 01:07 PM

Yes it's normal to have some locked keys. They should not be tempered with.

So this is a log from CCleaner under tools>startup>scheduled tasks. So looking at the list, why is a temp file in IE launching pcalua.exe and It seems to be doing something with netsetup? Also E:\ drive is a DVD and I presently have 72 Processes running.


CCleaner creates a log file. Please delete it and keep it in the Recycle bin for a week or two. You can delete it then if all is well.

CCleaner should not be running all the time. If you see it in the processes as working stop it.
I suggest you run it one a week at most.
===

What does PCALUA.EXE do?

Read about it.
http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_programs/what-does-pcaluaexe-do/5951f4b4-18f6-4b21-b925-ed5bb9032e9b
<<<>>>

The Secunia PSI tray is installed on every boot time.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-10-14 291896]

This is not required. The tool should be run one a month.
Remove it from the startup folder.
===

I get occasional messages that a file is corrupted.

Is the file identified?
Post the name if you can.

Keep me posted.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users