Jump to content

Recommended Posts

Hello,

On PC which runs Windown XP professional, got a notification about trojan from Norton Internet Security yesterday, with suggestion to download FixTDSS which I did. However, seems like the IP connection is lost. ipconfig gives following error

"An internal error occurred: The request is not supported.

Additional information: Unable to query host name."

I downloaded Malwarebytes - Anti Malware and ran it. Since there was no internet connection, the database is 97 days old, could not get an update. Still it found 14 files and 1 registry infections which were successfully quarantined.

Even after this, could not restore the IP connectivity in the PC. Tried rebooting router/cable modem as well as reset of router to defaults and changed all router security settings, still no luck.

The network in up though, and have a laptop on a wired connection to router working fine, only PC still has IP issues.

Next, I downloaded the dds script and ran that. The mbam quick scan and dds logs are below:

Any help in getting a fix for this is much appreciated.

Thanks

mbam-log

========

Scan type: Quick scan

Objects scanned: 182904

Time elapsed: 6 minute(s), 11 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 14

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\Vxyz\local settings\Temp\cmwasrnoex.exe (Trojan.MSIL.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\Vxyz\local settings\Temp\xcemarwnso.exe (Trojan.MSIL.Gen) -> Quarantined and deleted successfully.

c:\documents and settings\Vxyz\application data\Adobe\plugs\kb10189593.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\documents and settings\Vxyz\application data\Adobe\plugs\kb10190250.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\documents and settings\Vxyz\application data\Adobe\plugs\kb10190500.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\documents and settings\Vxyz\application data\Adobe\plugs\kb10190656.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\documents and settings\Vxyz\application data\Adobe\plugs\kb10191031.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\documents and settings\Vxyz\application data\Adobe\plugs\kb10191156.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\documents and settings\Vxyz\application data\Adobe\plugs\kb4156203.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\documents and settings\Vxyz\application data\Adobe\plugs\kb4156218.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\documents and settings\Vxyz\application data\Adobe\plugs\kb4156359.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\documents and settings\Vxyz\application data\Adobe\plugs\kb4157046.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\documents and settings\Vxyz\application data\Adobe\plugs\kb4157109.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\documents and settings\Vxyz\application data\Adobe\plugs\kb4157140.exe (Trojan.Agent) -> Quarantined and deleted successfully.

dds.txt

=======

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17

Run by Vxyz at 10:01:03 on 2011-12-07

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2418 [GMT -8:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe

C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe

C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Canon\MyPrinter\BJMyPrt.exe

C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe

C:\Program Files\DivX\DivX Update\DivXUpdate.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

C:\WINDOWS\system32\devldr32.exe

C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe

C:\Program Files\D-Link AirPlus Xtreme G\Reg.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\M-Audio Fast Track\GBInst.exe

C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe

C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe

C:\PROGRA~2\Yahoo!\MESSEN~1\ymsgr_tray.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/

BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.6.0.29\ips\IPSBHO.DLL

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"

uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"

uRun: [Messenger (Yahoo!)] "c:\progra~2\yahoo!\messen~1\YahooMessenger.exe" -quiet

uRun: [Google Update] "c:\documents and settings\Vxyz\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [PrinTray] c:\windows\system32\spool\drivers\w32x86\2\printray.exe

mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe

mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe

mRun: [VF0060 STISvc] RunDLL32.exe V0060Pin.dll,RunDLL32EP 513

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"

mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe

mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe

mRun: [Acronis Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon

mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon

mRun: [PMBVolumeWatcher] c:\program files\sony\pmb\PMBVolumeWatcher.exe

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

StartupFolder: c:\docume~1\Vxyz\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\d-link~2.lnk - c:\program files\d-link airplus xtreme g\Reg.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

Trusted Zone: turbotax.com

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135662289357

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

TCP: DhcpNameServer = 209.18.47.61 209.18.47.62

TCP: Interfaces\{0C51ABAD-DADE-439A-A348-30C0ADE64729} : DhcpNameServer = 209.18.47.61 209.18.47.62

TCP: Interfaces\{7D3CBFF2-4B50-47AE-B6D3-5D439C4BA3F6} : DhcpNameServer = 209.18.47.61 209.18.47.62

TCP: Interfaces\{D72F67B4-22A1-4114-9F13-90CD56FFD9AC} : DhcpNameServer = 192.168.0.1

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\Vxyz\application data\mozilla\firefox\profiles\up5a3r5r.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll

FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll

FF - plugin: c:\documents and settings\Vxyz\application data\move networks\plugins\npqmp071505000011.dll

FF - plugin: c:\program files\realarcade\npracplug2.dll

FF - plugin: d:\picasa3\npPicasa3.dll

.

---- FIREFOX POLICIES ----

FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.10);user_pref(general.useragent.extra.zencast,

============= SERVICES / DRIVERS ===============

.

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1206000.01d\symds.sys [2011-5-9 340088]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1206000.01d\symefa.sys [2011-5-9 744568]

R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\bashdefs\20111123.001\BHDrvx86.sys [2011-11-29 819320]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1206000.01d\ironx86.sys [2011-5-9 136312]

R2 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2010-2-21 68136]

R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.6.0.29\ccsvchst.exe [2011-5-9 130008]

R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\sony\pmb\PMBDeviceInfoProvider.exe [2010-6-1 367456]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-11-9 106104]

R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\ipsdefs\20111203.001\IDSXpx86.sys [2011-12-5 356280]

R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\virusdefs\20111206.002\NAVENG.SYS [2011-12-6 86136]

R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.5.0.125\definitions\virusdefs\20111206.002\NAVEX15.SYS [2011-12-6 1576312]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-2-21 1684736]

S3 LuIPSec;Al-Lu VPN Miniport;c:\windows\system32\drivers\luipsec.sys --> c:\windows\system32\drivers\luipsec.sys [?]

S3 MA763010;M-Audio Fast Track;c:\windows\system32\drivers\ma763010.sys --> c:\windows\system32\drivers\MA763010.sys [?]

S3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\drivers\V0060Vid.sys [2007-4-17 196409]

S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

.

=============== Created Last 30 ================

.

2011-12-07 17:24:23 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-12-07 17:23:11 134464 ----a-w- c:\windows\system32\LnkProtect.dll

2011-12-07 04:58:14 44024 ----a-r- c:\windows\system32\drivers\SymIM.sys

2011-12-06 21:56:35 -------- d-----w- c:\documents and settings\all users\application data\Hitman Pro

.

==================== Find3M ====================

.

2011-12-07 17:59:04 17488 ----a-w- c:\windows\gdrv.sys

2011-09-12 16:50:48 0 ----a-w- c:\windows\Dpibetacoy.bin

2002-08-15 16:54:38 3198976 -c--a-w- c:\program files\ViewSonicregistration.exe

.

============= FINISH: 10:01:51.39 ===============

Link to post
Share on other sites

  • 4 weeks later...
  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Link to post
Share on other sites

  • 1 month later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.