Malware or Trojan, unknown, multiple problems

View previous topic View next topic Go down

Malware or Trojan, unknown, multiple problems

Post by pmbmrfc on Wed Jul 29, 2009 8:43 pm

Started with an inability to open task manager, gone downhill since, multiple runDLL errors, error loading tcp mib library, various Dll "is not a valid windows image," cannot open internet options, many "%1 is not a valid Win32 application"
Here's the HJT report, thanks very much for your time. Paul

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:33:23, on 29/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\PMB\Desktop\winlogon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Windows Live Search - [You must be registered and logged in to see this link.] Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - [You must be registered and logged in to see this link.]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Fax - Unknown owner - C:\WINDOWS\system32\fxssvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 10068 bytes

pmbmrfc
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-07-27
OS OS : XP
Points Points : 26909
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware or Trojan, unknown, multiple problems

Post by Origin on Thu Jul 30, 2009 5:39 pm

Hello Name,

Welcome to Geek Police, my name is Origin and I will be helping you today. Please keep the following in mind:

  • If you do not get a reply from me or another helper within 2 days, please reply to your topic with the phrase BUMP
  • If you have any cracked/pirated software in your computer delete them or we will not help you.
  • Only follow advise from Geek Police Staff and not a regular member.
  • Do NOT run any tool without Geek Police supervision as it could hinder your system useless.


  • Open HijackThis.
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k



  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware or Trojan, unknown, multiple problems

Post by pmbmrfc on Fri Jul 31, 2009 7:47 pm

First, thank you kindly for your time and consideration, I really apppreciate it.

HJT routine followed as instructed.

I must confess, before visiting this forum I took some generic Googled advice a couple of weeks ago and downloaded and ran Malwarebytes' Anti-Malware, I have posted this log SECOND after today's log below. The first log is most most recent which found one problem, as you can see the first running found many.

All problems still currently exist.

Thanks again, Paul.

Here's today's log file, the first one listed after.


Malwarebytes' Anti-Malware 1.39
Database version: 2536
Windows 5.1.2600 Service Pack 3

31/07/2009 20:31:34
mbam-log-2009-07-31 (20-31-34).txt

Scan type: Quick Scan
Objects scanned: 127638
Time elapsed: 24 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\PMB\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.



******First Running a couple of weeks ago BELOW*******
Malwarebytes' Anti-Malware 1.38
Database version: 2393
Windows 5.1.2600 Service Pack 3

09/07/2009 19:10:29
mbam-log-2009-07-09 (19-10-29).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 190179
Time elapsed: 59 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 96

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Mozilla Firefox\components\dfff.dll (Trojan.BHO) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\components\nsoffersfortoday.dll (Adware.BHO) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\Plugins\nprcpt.dll (Rogue.Multiple) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\components\nsBrowserGal.dll (Adware.Agent) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\components\nsdnser.dll (Adware.Agent) -> Delete on reboot.
C:\Program Files\Internet Explorer\Connection Wizard\knfe.exe (Trojan.Agent) -> Delete on reboot.
C:\Program Files\Internet Explorer\clbcatq.dll (Trojan.Agent) -> Delete on reboot.
C:\Program Files\Internet Explorer\ntshrui.dll (Trojan.Agent) -> Delete on reboot.
C:\Program Files\Internet Explorer\svchost.exe (Trojan.Agent) -> Delete on reboot.
C:\Program Files\Internet Explorer\mnghif.dll (Trojan.Agent) -> Delete on reboot.
C:\Program Files\Internet Explorer\wnghife.dll (Trojan.Agent) -> Delete on reboot.
C:\Program Files\Internet Explorer\wnghife.exe (Trojan.Agent) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\components\WWShow.dll (Trojan.Agent) -> Delete on reboot.
C:\Program Files\Internet Explorer\svchost.dll (Trojan.Agent) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\components\nsadsoftinc.dll (Trojan.Agent) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\setupapi.dll (Trojan.Agent) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\components\nsglobaladsolution.dll (Trojan.Agent) -> Delete on reboot.
C:\Program Files\Internet Explorer\ie567.dll (Trojan.Agent) -> Delete on reboot.
C:\Program Files\Internet Explorer\Wusa.exe (Backdoor.Bot) -> Delete on reboot.
C:\Program Files\Internet Explorer\MainCode.api (Spyware.OnlineGames) -> Delete on reboot.
C:\Program Files\Internet Explorer\PowerJa.ask (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\Drivers\etc\hosts.prev (Malware.Trace) -> Delete on reboot.
C:\Program Files\Internet Explorer\keys.srv (Stolen.data) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\components\srff.dll (Trojan.BHO) -> Delete on reboot.
C:\Program Files\Internet Explorer\setupapi.dll (Trojan.BHO) -> Delete on reboot.
C:\Program Files\Internet Explorer\Plugins\System64.sys (Worm.QQPass) -> Delete on reboot.
C:\Program Files\Mozilla FireFox\Plugins\alhlp.exe (Trojan.AntiLeechPlugin) -> Delete on reboot.
C:\Program Files\Mozilla FireFox\Plugins\npalnn.dll (Trojan.AntiLeechPlugin) -> Delete on reboot.
C:\Program Files\Internet Explorer\Rsentz.z91 (Trojan.PWS) -> Delete on reboot.
C:\Program Files\Internet Explorer\UzKtNt.Org (Trojan.PWS) -> Delete on reboot.
C:\Program Files\Internet Explorer\UzsKtNt.Zs3 (Trojan.PWS) -> Delete on reboot.
C:\Program Files\Internet Explorer\7v54321t.321 (Trojan.PWS) -> Delete on reboot.
C:\Program Files\Internet Explorer\OxPloreBot.3x6 (Trojan.PWS) -> Delete on reboot.
C:\Program Files\Internet Explorer\JxPloreBnt.456 (Trojan.PWS) -> Delete on reboot.
C:\Program Files\Internet Explorer\Jet0nNt64.987 (Trojan.PWS) -> Delete on reboot.
C:\Program Files\Internet Explorer\DxPlroBt.Rxf (Trojan.PWS) -> Delete on reboot.
C:\Program Files\Internet Explorer\SetMail.R52 (Trojan.PWS) -> Delete on reboot.
C:\Program Files\Internet Explorer\SentRsst.R31 (Trojan.PWS) -> Delete on reboot.
C:\Program Files\Internet Explorer\SENTRS.R21 (Trojan.PWS) -> Delete on reboot.
C:\Program Files\Internet Explorer\BoboNt.jsp (Trojan.PWS) -> Delete on reboot.
C:\Program Files\Internet Explorer\ExploreMt.456 (Trojan.PWS) -> Delete on reboot.
C:\Program Files\Internet Explorer\7654321t.321 (Trojan.PWS) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\components\nsworldadmarketplace.dll (Adware.AdRotator) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\components\nsBrowserOpt.dll (Adware.AdRotator) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\components\nsBrowserCmp.dll (Adware.AdRotator) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\components\nsBrowserDc.dll (Adware.AdRotator) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\components\nsdcads.dll (Adware.AdRotator) -> Delete on reboot.
C:\Program Files\Internet Explorer\DxPl9oBt.Qxf (Trojan.PWS) -> Delete on reboot.
C:\Program Files\Internet Explorer\Sed7Mazl.Rz2 (Trojan.PWS) -> Delete on reboot.
C:\Program Files\Internet Explorer\smss.exe (Worm.AutoRun) -> Delete on reboot.
C:\Program Files\Internet Explorer\SedtMazl.Rz2 (Spyware.OnlineGames) -> Delete on reboot.
C:\Program Files\Internet Explorer\NewMail.vbs (Spyware.OnlineGames) -> Delete on reboot.
C:\Program Files\Internet Explorer\DotoBt.doc (Spyware.OnlineGames) -> Delete on reboot.
C:\Program Files\Internet Explorer\DotooBt.doc (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\Drivers\etc\Q7yaGrsx.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\Drivers\etc\Proceso inactivo del sistema.com (Worm.Venom) -> Delete on reboot.
C:\Program Files\Internet Explorer\New7Mail.vbs (Spyware.OnlineGames) -> Delete on reboot.
C:\Program Files\Internet Explorer\ethernet32.exe (Trojan.Banker) -> Delete on reboot.
C:\Program Files\Internet Explorer\IEXPL0RER.LNK (Malware.Trace) -> Delete on reboot.
C:\Program Files\Internet Explorer\IEXPLOREPLUS.exe (Trojan.Startpage) -> Delete on reboot.
C:\WINDOWS\system32\Drivers\etc\lsass.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\Drivers\etc\smss.exe (Trojan.Agent) -> Delete on reboot.
C:\Program Files\Internet Explorer\OverMail.vbs (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\Drivers\etc\networks.exe (Worm.AutoRun) -> Delete on reboot.
C:\Program Files\Internet Explorer\IUC.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\Drivers\etc\4c1044aM.dll (Trojan.Agent) -> Delete on reboot.
C:\Program Files\Internet Explorer\RKIEBHO.dll (Trojan.BHO) -> Delete on reboot.
C:\WINDOWS\system32\Drivers\etc\AD_LOAG (Malware.Trace) -> Delete on reboot.
C:\WINDOWS\system32\Drivers\etc\service3.ini (Malware.Trace) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\chrome\amba.jar (Trojan.Hanam) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\chrome\amba.js (Trojan.Hanam) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\chrome\amba.xul (Trojan.Hanam) -> Delete on reboot.
C:\Program Files\Internet Explorer\javawisx.exe (Trojan.Banker) -> Delete on reboot.
C:\Program Files\Internet Explorer\javawins.exe (Trojan.Banker) -> Delete on reboot.
C:\Program Files\Internet Explorer\nod32kut.exe (Trojan.Banker) -> Delete on reboot.
C:\Program Files\Internet Explorer\mnecgd.dll (Trojan.BHO) -> Delete on reboot.
C:\Program Files\Internet Explorer\msnmsrgr.exe (Trojan.Banker) -> Delete on reboot.
C:\Program Files\Internet Explorer\msn.exe (Trojan.Agent) -> Delete on reboot.
C:\Program Files\Internet Explorer\MSNMessengerAPI.dll (Trojan.Agent) -> Delete on reboot.
C:\Program Files\Internet Explorer\ods.exe (Trojan.Agent) -> Delete on reboot.
C:\Program Files\Internet Explorer\stm.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\Drivers\etc\hints.exe (Worm.Autorun) -> Delete on reboot.
C:\WINDOWS\system32\Drivers\etc\hlKmbmDV.dll (Trojan.Downloader) -> Delete on reboot.
C:\Program Files\Internet Explorer\Connection Wizard\icwsetup.exe (Trojan.Downloader) -> Delete on reboot.
C:\Program Files\Internet Explorer\6.5\juncao.exe (Trojan.Downloader) -> Delete on reboot.
C:\Program Files\Internet Explorer\Connection Wizard\inteesrt.exe (Backdoor.Hupigon) -> Delete on reboot.
C:\Program Files\Internet Explorer\dll.pif (Trojan.Banker) -> Delete on reboot.
C:\Program Files\Internet Explorer\rasadhlp.dll (Spyware.Passowrds) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\rasadhlp.dll (Spyware.Passowrds) -> Delete on reboot.
C:\Program Files\Internet Explorer\Connection Wizard\wdicwtutor.exe (Trojan.Agent) -> Delete on reboot.
C:\Program Files\Internet Explorer\tjiedw.exe (Trojan.Agent) -> Delete on reboot.
C:\Program Files\Internet Explorer\updown.txt (Malware.Trace) -> Delete on reboot.
C:\Program Files\Internet Explorer\hunter.rar (Trojan.Banker) -> Delete on reboot.
C:\Program Files\Internet Explorer\cairo.rar (Trojan.Banker) -> Delete on reboot.
C:\Program Files\Internet Explorer\dll.rar (Trojan.Banker) -> Delete on reboot.

pmbmrfc
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-07-27
OS OS : XP
Points Points : 26909
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware or Trojan, unknown, multiple problems

Post by Belahzur on Fri Jul 31, 2009 8:04 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware or Trojan, unknown, multiple problems

Post by pmbmrfc on Sat Aug 01, 2009 4:45 pm

DDS copied below, thanks for your time. Paul


DDS (Ver_09-07-30.01) - NTFSx86
Run by PMB at 17:40:09.65 on 01/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.166 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\PMB\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: UberButton Class: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: YahooTaggedBM Class: {65d886a2-7ca7-479b-bb95-14d1efb7946a} - c:\program files\yahoo!\common\YIeTagBm.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\ypager.exe" -quiet
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F47C1DB5-ED21-4dc1-853E-D1495792D4C5}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - [You must be registered and logged in to see this link.]
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~3\MpShHook.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, append.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2007-11-29 40840]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-6-16 130936]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-9 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-9 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-9 108552]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2007-11-29 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2007-11-29 81288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-9 298776]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-3-20 348752]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 iadusb;BT Voyager 205 ADSL Router;c:\windows\system32\drivers\glauiad.sys [2007-7-2 30371]
R3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [2006-1-17 91841]
S0 pthet;pthet;c:\windows\system32\drivers\hwkwt.sys --> c:\windows\system32\drivers\hwkwt.sys [?]
S2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-3-20 1095560]

=============== Created Last 30 ================

2009-07-27 21:48 --d----- c:\program files\JavaFX
2009-07-27 21:45 --d----- c:\program files\Sun
2009-07-27 21:44 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-27 21:44 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-22 20:02 --d----- C:\32d9b696b826d7f06a2515
2009-07-12 14:21 --d----- c:\program files\HP
2009-07-12 14:16 116,406 a------- c:\windows\hpoins07.dat
2009-07-12 14:16 21,124 -------- c:\windows\hpomdl07.dat
2009-07-12 13:06 116,376 -------- c:\windows\hpoins07.dat.temp
2009-07-12 13:06 21,124 -------- c:\windows\hpomdl07.dat.temp
2009-07-11 17:18 855 a------- c:\windows\winzip.ini
2009-07-11 17:18 --d----- C:\WINZIP
2009-07-09 20:16 --d-h--- C:\$AVG8.VAULT$
2009-07-09 19:50 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-09 19:50 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-07-09 19:50 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-09 19:50 --d----- c:\windows\system32\drivers\Avg
2009-07-09 19:50 --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-07-09 19:50 --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-07-09 18:10 --d----- c:\docume~1\pmb\applic~1\Malwarebytes
2009-07-08 17:12 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-08 17:12 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-08 17:12 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-08 17:12 --d----- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2009-07-19 18:48 11,067,392 a------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 14:18 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-12 12:58 174,712 a------- c:\windows\pchealth\helpctr\config\cache\Personal_32_1033.dat
2009-07-03 18:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 18:09 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 18:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 18:09 1,208,832 a------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 18:09 206,848 a------- c:\windows\system32\dllcache\occache.dll
2009-07-03 18:09 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 18:09 55,296 a------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 18:09 1,985,536 a------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 18:09 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 18:09 184,320 a------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 18:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 18:09 386,048 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 12:01 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-16 15:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 15:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 15:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 20:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 20:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-06-01 21:34 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-05-12 06:11 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 16:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-03-05 14:26 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009030520090306\index.dat

============= FINISH: 17:41:27.60 ===============

pmbmrfc
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-07-27
OS OS : XP
Points Points : 26909
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware or Trojan, unknown, multiple problems

Post by pmbmrfc on Wed Aug 05, 2009 9:02 pm

Bump, please

pmbmrfc
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-07-27
OS OS : XP
Points Points : 26909
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware or Trojan, unknown, multiple problems

Post by Belahzur on Thu Aug 06, 2009 3:21 pm

Hello.

  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware or Trojan, unknown, multiple problems

Post by pmbmrfc on Thu Aug 06, 2009 7:26 pm

Hello and thanks for your continued support. The problems all seems to be there still, as follows.:

Unable to open Task manager (a small DOS looking window pops up for a bried second)
Unable to re-install my printer
Unable to open Internet Options under Tools, in IE. (This operation shas been cancelled due to restrictions in effect on this computer, please contact your administrator")
Multiple dll errors still (including at start-up, I captured the attached .jpg for your perusal)

Small DOS window at start-up "Error loading the Tcp Mib Library"
Continued slugishness.
I have managed to extract some information from my son who confesses to downloading music files using "P to P Torrent?" He claims this has been deleted but the problems certainly started around this time.

I noticed in the dss report previously posted that Norten seems to be running even though I am sure I removed it using Add/Delete in control panel, I don't know if this makes a difference.

Once again thank you kindly for your time. .jpeg follows in next post in case you wish to ignore.

pmbmrfc
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-07-27
OS OS : XP
Points Points : 26909
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware or Trojan, unknown, multiple problems

Post by pmbmrfc on Thu Aug 06, 2009 7:33 pm

It doesn't look like I can attach a file, here's the other error at start-up
"The application or DLL C:\Program Files\Windows Defender\MsMpRes.dll is not a valid windows image. Please check this against your installation diskette" The error Window it titled "MSASCui.exe - Bad Image"

Thanks.

pmbmrfc
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-07-27
OS OS : XP
Points Points : 26909
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware or Trojan, unknown, multiple problems

Post by Origin on Thu Aug 06, 2009 7:53 pm

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware or Trojan, unknown, multiple problems

Post by pmbmrfc on Sat Aug 08, 2009 10:01 am

I have a problem. Although Norton Internet Security has been removed using Add/Remove programs some time ago, and there is no sign on my desktop that it is running, ComboFix is stating the program is running and I am not happy running it under these conditions, should I run ComboFix and ignore the Norton warning or is there any backdoor way of ensuring Norton is inactive, of course I cannot open Norton to disable as from where I'm sitting, it doesn't exist. Many thanks, Paul

pmbmrfc
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-07-27
OS OS : XP
Points Points : 26909
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware or Trojan, unknown, multiple problems

Post by Belahzur on Sat Aug 08, 2009 3:55 pm

Run Combofix in safe mode, that way will ensure that it won't interere.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware or Trojan, unknown, multiple problems

Post by pmbmrfc on Sun Aug 09, 2009 6:32 pm

Ran Combofix in Safe mode, a couple of warnings regarding the authenticity of the Combofix download site appeared as well as a windows problem requiring upload (regarding restart point I think,) which couldn't be performed as in safe mode and unable to connect to internet.

Report copied below (all problems still exist)
Many thanks, Paul (1/2 copied here, 1/2 later as forum stated too large)

2009-07-27 21:00 . 2009-03-05 15:12 -------- d-----w- c:\program files\DivX
2009-07-27 20:31 . 2007-11-29 21:22 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-27 20:26 . 2006-01-17 16:20 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-27 19:22 . 2006-01-18 16:11 41536 ----a-w- c:\documents and settings\Bryan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-13 12:36 . 2009-07-08 16:12 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 12:36 . 2009-07-08 16:12 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-12 13:16 . 2009-06-01 08:32 41536 ----a-w- c:\documents and settings\PMB\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-12 12:56 . 2005-11-05 12:25 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-07-12 12:55 . 2007-07-16 17:38 -------- d-----w- c:\program files\Common Files\HP
2009-07-12 10:33 . 2009-06-14 17:09 -------- d-----w- c:\documents and settings\PMB\Application Data\HP
2009-07-11 14:45 . 2009-07-09 18:50 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-09 20:30 . 2009-07-09 20:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-09 18:55 . 2009-07-09 18:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-07-09 18:50 . 2009-07-09 18:50 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-09 18:50 . 2009-07-09 18:50 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-09 18:50 . 2009-07-09 18:50 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-09 18:50 . 2009-07-09 18:50 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-09 18:47 . 2009-06-01 13:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-07-09 18:47 . 2005-11-05 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-09 18:47 . 2005-11-05 12:27 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-09 18:47 . 2009-06-01 14:14 -------- d-----w- c:\program files\Symantec
2009-07-09 17:10 . 2009-07-09 17:10 -------- d-----w- c:\documents and settings\PMB\Application Data\Malwarebytes
2009-07-08 16:12 . 2009-07-08 16:12 -------- d-----w- c:\documents and settings\Pauline\Application Data\Malwarebytes
2009-07-08 16:12 . 2009-07-08 16:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-08 08:29 . 2007-11-29 21:22 -------- d-----w- c:\program files\Spyware Doctor
2009-07-07 18:20 . 2007-11-29 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-03 17:09 . 2004-08-10 12:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 20:32 . 2009-06-16 20:31 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-16 20:31 . 2009-06-16 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-06-16 14:36 . 2004-08-10 12:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-10 12:51 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-14 15:07 . 2009-07-09 18:55 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-03 19:09 . 2004-08-10 12:51 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-01 08:41 . 2009-06-01 08:41 64512 ----a-w- c:\documents and settings\PMB\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\HTML\item_templ\coach\RunGdp.exe
2009-06-01 08:39 . 2009-06-01 08:39 225280 ----a-w- c:\documents and settings\PMB\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\HTML\AutoMaintenance\Images.dll
2009-06-01 08:39 . 2009-06-01 08:39 698511 ----a-w- c:\documents and settings\PMB\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\HTML\AutoMaintenance\AutoMaintenance.dll
2009-06-01 08:38 . 2009-06-01 08:38 1896448 ----a-w- c:\documents and settings\PMB\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\dplugins\2.0.1.571\DiagPlugin.dll
2009-06-01 08:38 . 2009-06-01 08:38 123138 ----a-w- c:\documents and settings\PMB\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\HTML\MakeDesktopShortcut.EXE
2009-06-01 06:53 . 2009-06-01 06:53 390664 ----a-w- c:\documents and settings\Pauline\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-03-31 21:47 . 2008-05-03 11:53 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.

pmbmrfc
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-07-27
OS OS : XP
Points Points : 26909
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware or Trojan, unknown, multiple problems

Post by pmbmrfc on Sun Aug 09, 2009 6:33 pm

2nd Half Combofix report:

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-26 09:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\ypager.exe" [2005-08-31 2478080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-11-05 98304]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2003-12-09 57344]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-11 185896]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-09 1948440]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-09 18:50 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [16/06/2009 21:31 130936]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [20/03/2008 21:35 348752]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 20:19 13592]
S0 pthet;pthet;c:\windows\system32\drivers\hwkwt.sys --> c:\windows\system32\drivers\hwkwt.sys [?]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [09/07/2009 19:50 335752]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [09/07/2009 19:50 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [09/07/2009 19:50 298776]
S3 iadusb;BT Voyager 205 ADSL Router;c:\windows\system32\drivers\glauiad.sys [02/07/2007 12:46 30371]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [17/01/2006 18:38 91841]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-09 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-08-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-29 14:55]

2009-08-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2009-08-09 c:\windows\Tasks\User_Feed_Synchronization-{1E499DDA-3ECD-40A6-8A50-25C102BAAA0E}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-08-09 19:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3898010940-2414683796-1309829356-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,28,d2,af,58,3b,fb,9c,46,96,ab,57,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,28,d2,af,58,3b,fb,9c,46,96,ab,57,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2036)
c:\windows\system32\WININET.dll
.
Completion time: 2009-08-09 19:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-09 18:17

Pre-Run: 46,237,888,512 bytes free
Post-Run: 46,253,060,096 bytes free

218 --- E O F --- 2009-08-03 17:36

pmbmrfc
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-07-27
OS OS : XP
Points Points : 26909
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware or Trojan, unknown, multiple problems

Post by pmbmrfc on Thu Aug 13, 2009 5:10 pm

Bump, please

pmbmrfc
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-07-27
OS OS : XP
Points Points : 26909
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware or Trojan, unknown, multiple problems

Post by Origin on Thu Aug 13, 2009 5:27 pm

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware or Trojan, unknown, multiple problems

Post by pmbmrfc on Sun Aug 16, 2009 8:11 pm

GMER 1.0.15.15020 [hello.exe] - [You must be registered and logged in to see this link.]
Rootkit scan 2009-08-16 21:10:23
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF8381514]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF8370282]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF8370474]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF8381D00]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF8381FB8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF83803FA]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF8382422]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF83817D8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF836FF32]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwWriteVirtualMemory [0xAA665384]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device A94A9D20

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{087F3405-C50C-733B-1D4C-B82680176732}\InprocServer32@ C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE11\MSO.DLL

---- EOF - GMER 1.0.15 ----

pmbmrfc
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-07-27
OS OS : XP
Points Points : 26909
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware or Trojan, unknown, multiple problems

Post by pmbmrfc on Thu Aug 20, 2009 7:06 pm

Bump, please

I am finding more problems, I am unable to re-install a printer, cannot access User Accounts, cannot access Internet Options, cannot access Network Connections. I am afraid "someone or something" has gained some kind of control over this system. I am very grateful for your continued expertise and support.

Paul

pmbmrfc
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-07-27
OS OS : XP
Points Points : 26909
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware or Trojan, unknown, multiple problems

Post by pmbmrfc on Mon Aug 31, 2009 4:46 pm

Bump, Please. Please let me know if anymore can be done here, I appreciate your help thus far. Paul

pmbmrfc
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-07-27
OS OS : XP
Points Points : 26909
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware or Trojan, unknown, multiple problems

Post by Belahzur on Mon Aug 31, 2009 5:20 pm

Everything looks okay here, not sure what the problem is.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware or Trojan, unknown, multiple problems

Post by pmbmrfc on Tue Sep 01, 2009 8:45 am

Thanks anyway, is there an alternative course of action or forum you can recommend if I still have the following problems?:

Unable to open Task Manager
Unable to open Internet Options
Unable to open User Accounts
Unable to re-install my printer,

Thanks very much, Paul

pmbmrfc
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-07-27
OS OS : XP
Points Points : 26909
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware or Trojan, unknown, multiple problems

Post by Belahzur on Tue Sep 01, 2009 5:17 pm

We might be able to get Task Manager back. Does it say it has been disabled by the administrator when you try to open it?

Same goes for internet options?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware or Trojan, unknown, multiple problems

Post by pmbmrfc on Tue Sep 01, 2009 6:53 pm

Hello, yes the Internet Options prodeces a warning that the operations has been cancelled due to restrictions in effect on this computer.

task manager, however, just produces a very quickly disappearing black, blank "dos" box.

Clicking User accounts in Control Panel produces nothing.

Many thanks

pmbmrfc
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-07-27
OS OS : XP
Points Points : 26909
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware or Trojan, unknown, multiple problems

Post by Belahzur on Wed Sep 02, 2009 12:56 am

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

sc delete pthet

Next, open MBAm again, I'm pretty sure more malware is hiding.
Go into the update tab of MBAM, press "Check for updates", then once you have version 1.40, run a new scan.

Copy and paste the log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware or Trojan, unknown, multiple problems

Post by pmbmrfc on Thu Sep 03, 2009 6:33 pm

As completely inexperienced as I am, I would have to agree that something fishy is still occuring, frustratingly, MBAM produced nothing, copied below. The other instuction was also acted upon. I want to continue to thank you for your time. Paul

Malwarebytes' Anti-Malware 1.40
Database version: 2732
Windows 5.1.2600 Service Pack 3

03/09/2009 19:28:59
mbam-log-2009-09-03 (19-28-58).txt

Scan type: Quick Scan
Objects scanned: 132245
Time elapsed: 13 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

pmbmrfc
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-07-27
OS OS : XP
Points Points : 26909
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware or Trojan, unknown, multiple problems

Post by pmbmrfc on Thu Sep 03, 2009 6:34 pm

By the way, was "sc delete pthet" an instuction to fix/kill something particular, just out of curiosity, thanks

pmbmrfc
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-07-27
OS OS : XP
Points Points : 26909
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware or Trojan, unknown, multiple problems

Post by Belahzur on Thu Sep 03, 2009 10:31 pm

[You must be registered and logged in to see this link.] wrote:By the way, was "sc delete pthet" an instuction to fix/kill something particular, just out of curiosity, thanks

Yeah, it was just a run command to delete a leftover malicious service.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum