Jump to content

Ran Malwarebytes,Combofix,still have problems...


Recommended Posts

I started experiencing problems a few days ago,getting fake security alerts,progressing to the point now of several non-working programs and other problems.

I first ran a Norton antivirus scan and Malwarebytes anti-malware scans with no success.Per the recomendations in a thread here,I then DL'd and ran Combofix(after also making sure i have the Windows Recovery program),

after which the problems appear to be worse for some reason.Aside from complete system instability,the Acer Empowering program is not working completely,which has led to the machine being set on "slow" processor setting and the screen backlight being cut off,both of which are making it even harder to try to get things sorted out.

I just ran Hijack This,the log is below,as well as a Malwarebytes log.

Thanks for your time,

Chris

--Hijack This-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:25:38 AM, on 2/4/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\ehome\mcrdsvc.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\Program Files\Windows NT\Accessories\wordpad.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.onlinegis.net/download/MgViewer...AB/mgaxctrl.cab

O20 - Winlogon Notify: i975gl - C:\WINDOWS\SYSTEM32\i975gl.dll

O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--

End of file - 5364 bytes

---Malwarebytes:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.33

Database version: 1714

Windows 5.1.2600 Service Pack 3

2/4/2009 7:16:03 AM

mbam-log-2009-02-04 (07-16-03).txt

Scan type: Quick Scan

Objects scanned: 54692

Time elapsed: 3 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\Drivers\ndisio.sys (Backdoor.Bot) -> Delete on reboot.

Link to post
Share on other sites

  • Root Admin

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

Combofix log:

ComboFix 09-02-01.01 - ENP 2009-02-04 20:43:34.3 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.628 [GMT -5:00]

Running from: c:\documents and settings\ENP\Desktop\ComboFix.exe

AV: Norton AntiVirus 2006 *On-access scanning disabled* (Outdated)

FW: Norton Internet Worm Protection *enabled*

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\00setup.exe

c:\windows\system32\303374.exe

c:\windows\system32\a9k.bin

c:\windows\system32\drivers\seneka.sys

c:\windows\system32\drivers\senekaxpfjvlqo.sys

c:\windows\system32\idaw64.exe

c:\windows\system32\senekamidivayo.dat

c:\windows\system32\senekaotlcnvoi.dll

c:\windows\system32\senekapfjpexet.dat

c:\windows\system32\senekapop.dll

c:\windows\system32\senekaroptevrx.dll

c:\windows\system32\senekasspqqhxn.dll

c:\windows\system32\test.ttt

c:\windows\system32\uniq.tll

c:\windows\system32\win32hlp.cnf

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\svchost.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_SENEKA

-------\Service_SENEKA

-------\Legacy_PROTECT

-------\Service_Passthru

((((((((((((((((((((((((( Files Created from 2009-01-05 to 2009-02-05 )))))))))))))))))))))))))))))))

.

2009-02-04 20:48 . 2009-02-04 20:48 <DIR> d--hs---- C:\FOUND.007

2009-02-04 20:04 . 2009-02-04 20:04 61,440 --a------ c:\windows\system32\drivers\qteecrkp.sys

2009-02-03 19:32 . 2009-02-03 19:32 79,878 --a------ c:\windows\system32\xp-dc-av.exe

2009-02-03 17:58 . 33,920 c:\windows\system32\drivers\ymkrvdsy.sys

2009-02-03 17:54 . 2009-02-03 17:54 0 --a------ c:\windows\system32\10.tmp

2009-02-03 17:42 . 66,560 c:\windows\system32\secupdat.dat

2009-02-03 17:42 . 2009-02-03 17:42 32,768 --ah----- c:\documents and settings\ENP\eajsqx.exe

2009-02-02 19:21 . 2009-02-03 19:19 130 --a------ c:\windows\adobe.bat

2009-02-02 19:21 . 2009-02-02 19:26 5 --a------ c:\windows\_id.dat

2009-02-02 18:20 . 2009-02-02 20:09 138,496 --a------ c:\windows\system32\drivers\ethrywbb.sys

2009-02-02 18:19 . 2009-02-02 18:24 162,628 --a------ c:\windows\system32\16.tmp

2009-02-02 18:19 . 2009-02-02 18:19 61,440 --a------ c:\windows\system32\14.tmp

2009-02-02 18:16 . 2009-02-02 18:20 162,628 --a------ c:\windows\system32\11.tmp

2009-02-02 18:15 . 2009-02-02 19:31 64,512 --a------ c:\windows\system32\hhupd.exe

2009-02-02 16:54 . 2009-02-02 18:19 64,512 --a------ c:\windows\system32\7z.exe

2009-02-02 16:42 . 2009-02-02 16:42 128,306 --a------ c:\windows\system32\126_av.exe

2009-02-02 16:39 . 2009-02-03 07:18 7 --a------ c:\windows\system32\nbr.bin

2009-02-02 09:14 . 2009-02-02 09:14 <DIR> d-------- c:\program files\Trend Micro

2009-02-02 09:11 . 2009-02-02 09:11 102,567 --a------ c:\windows\system32\z98.bin

2009-02-02 09:11 . 2009-02-02 09:11 23,703 --a------ c:\windows\system32\i975gl.dll

2009-02-02 09:11 . 2009-02-02 09:11 8,656 --a------ c:\windows\system32\mjva.sys

2009-02-01 20:59 . 2009-02-01 20:59 0 --a------ c:\windows\system32\drivers\senekapeyksiiq.sys

2009-02-01 18:47 . 2009-02-01 18:47 61,440 --a------ c:\windows\system32\chert13-303374.exe

2009-02-01 18:32 . 2009-02-01 20:23 59 --a------ c:\windows\system32\senekabiwnaoiv.dat

2009-02-01 18:27 . 2009-02-01 18:27 15,872 --a------ c:\windows\system32\senekajsoxyrfg.dll

2009-02-01 18:27 . 2009-02-01 18:27 14,336 --a------ c:\windows\system32\senekaebmeeksx.dll

2009-02-01 18:27 . 2009-02-01 20:57 5,583 --a------ c:\windows\system32\senekawjugxapu.dat

2009-02-01 18:26 . 2009-02-01 18:27 67,584 --a------ c:\windows\system32\drivers\senekavihhdlrq.sys

2009-02-01 18:26 . 2009-02-01 20:57 49,152 --a------ c:\windows\system32\senekadkeripge.dll

2009-02-01 18:00 . 2009-02-01 18:47 90,112 --a------ c:\windows\DUMP4bbe.tmp

2009-01-31 14:23 . 2009-01-31 14:23 142,848 --a------ c:\windows\system32\dllcache\userinit.exe

2009-01-16 23:54 . 2009-01-16 23:54 <DIR> d-------- c:\program files\Windows Media Connect 2

2009-01-16 23:52 . 2009-01-16 23:52 <DIR> d-------- c:\windows\system32\LogFiles

2009-01-16 23:52 . 2009-01-16 23:52 <DIR> d-------- c:\windows\system32\drivers\UMDF

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-05 01:04 116 ----a-w c:\program files\mlfaw.txt

2009-01-31 19:23 142,848 ----a-w c:\windows\system32\userinit.exe

2009-01-14 21:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-14 21:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-01-06 01:20 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF

2009-01-06 01:20 60,808 ----a-w c:\windows\system32\S32EVNT1.DLL

2009-01-06 01:20 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS

2009-01-06 01:20 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT

2008-12-21 00:45 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2008-12-21 00:45 --------- d-----w c:\documents and settings\ENP\Application Data\Malwarebytes

2008-12-21 00:45 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys

2008-09-27 21:11 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092720080928\index.dat

.

------- Sigcheck -------

2008-04-13 20:12 31744 f64f985b5fa1151527fa67b0cfd0a1fc c:\windows\system32\svchost.exe

2004-08-10 20:00 31744 ec10d28993edd1fa242f963d707531ea c:\windows\$NtServicePackUninstall$\svchost.exe

2008-04-13 20:12 31744 b63d4eac4411d82dc0666e818afbbfe2 c:\windows\ServicePackFiles\i386\svchost.exe

2008-04-13 20:12 1051136 46c8a27b7b3c0d8ec49b44f3826b2459 c:\windows\explorer.exe

2007-06-13 07:26 1050624 5d9eea15fc2bdbe956776d03baaa2399 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

2004-08-10 20:00 1049600 8ab27a9dd2a7cadc2a4636dd909e78ec c:\windows\$NtUninstallKB938828$\explorer.exe

2007-06-13 06:23 1050624 141faec64e4d0cdbc4ce1b000701928a c:\windows\$NtServicePackUninstall$\explorer.exe

2008-04-13 20:12 1051136 6726f60b202871310c0efa0d00062a85 c:\windows\ServicePackFiles\i386\explorer.exe

2008-04-13 20:12 32768 50f4215524d0d1803cc975ae94694b0b c:\windows\system32\ctfmon.exe

2004-08-10 20:00 32768 057040bf84f054ed72f2a6ebbd519c1a c:\windows\$NtServicePackUninstall$\ctfmon.exe

2008-04-13 20:12 32768 8f97f7134775d9aa4eb3848546f7a52c c:\windows\ServicePackFiles\i386\ctfmon.exe

2008-04-13 20:12 75264 9581f015e83eb5a8280e39e58e786c63 c:\windows\system32\spoolsv.exe

2005-06-10 19:17 75264 5f89695740f8a9e31c6d573788ba5f3f c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe

2004-08-10 20:00 75264 50fdc3c978140e772f10374fbbb403c3 c:\windows\$NtUninstallKB896423$\spoolsv.exe

2005-06-10 18:53 75264 e5f909627203031839a8c7fc23477314 c:\windows\$NtServicePackUninstall$\spoolsv.exe

2008-04-13 20:12 75264 d8b6efa71bb8924f62da433d4cdd5b21 c:\windows\ServicePackFiles\i386\spoolsv.exe

2009-01-31 14:23 142848 09890a05da6fc9bf43920c22e8ae615e c:\windows\system32\userinit.exe

2009-01-31 14:23 142848 09890a05da6fc9bf43920c22e8ae615e c:\windows\system32\dllcache\userinit.exe

2004-08-10 20:00 41984 f844fcc83caf191a69c90fa006b47865 c:\windows\$NtServicePackUninstall$\userinit.exe

2008-04-13 20:12 43520 1623f8316033f4ff4ce4ee222fc1deb7 c:\windows\ServicePackFiles\i386\userinit.exe

.

((((((((((((((((((((((((((((( snapshot@2009-02-01_18.22.57.96 )))))))))))))))))))))))))))))))))))))))))

.

- 2005-10-20 13:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE

+ 2005-10-20 13:02:28 184,320 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE

- 2006-07-18 12:51:44 401,408 ----a-w c:\windows\system32\ati2evxx.exe

+ 2006-07-18 12:51:44 421,888 ----a-w c:\windows\system32\ati2evxx.exe

- 2009-02-01 23:01:18 16,384 ------w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-02-05 01:49:02 16,384 ------w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-02-01 23:43:28 16,384 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat

- 2009-02-01 23:01:18 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-02-05 01:49:02 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-02-03 00:20:20 78,848 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\05Y7KXYN\em[1].exe

+ 2009-02-03 01:04:58 78,848 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8DENWHQ7\em[1].exe

+ 2009-02-02 13:52:32 142,848 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8DENWHQ7\lsp[1].exe

+ 2009-02-02 21:42:30 2,823,624 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8DENWHQ7\main[1].exe

+ 2009-02-04 00:37:20 6,629,451 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8DENWHQ7\setup[1].dat

+ 2009-02-02 21:42:34 28,160 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CL6FSTYF\l26[1].exe

- 2009-02-01 23:01:18 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-02-05 01:49:02 32,768 ------w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 32768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-11 53096]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\i975gl]

2009-02-02 09:11 23703 c:\windows\system32\i975gl.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mjva.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ymkrvdsy.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acer Empowering Technology.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acer Empowering Technology.lnk

backup=c:\windows\pss\Acer Empowering Technology.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer ePresentation HPD]

--a------ 2006-03-31 16:39 225280 c:\acer\Empowering Technology\ePresentation\ePresentation.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]

--a------ 2006-05-10 11:12 110592 c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]

--------- 2006-04-14 22:35 73728 c:\program files\Realtek\InstallShield\AzMixerSel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Boot]

--a------ 2006-03-15 22:12 600576 c:\acer\Empowering Technology\ePower\Boot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]

--a------ 2008-02-11 17:22 53096 c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2008-04-13 20:12 32768 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

--a------ 2005-08-05 13:56 81920 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ePower_DMC]

--a------ 2006-05-30 12:11 442368 c:\acer\Empowering Technology\ePower\ePower_DMC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]

--a------ 2006-06-01 14:40 434176 c:\acer\Empowering Technology\eRecovery\eRAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]

--a------ 2004-08-10 20:00 229432 c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]

--a------ 2006-06-23 06:59 622592 c:\progra~1\LAUNCH~1\LManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

---hs---- 2008-04-13 20:12 1712640 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]

--a------ 2004-08-10 20:00 84408 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntiMUI]

--a------ 2005-05-11 17:15 69900 c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]

--a------ 2004-08-10 20:00 472576 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]

--a------ 2004-08-10 20:00 472576 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2006-07-26 03:03 69743 c:\program files\Java\jre1.5.0_08\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]

--a------ 2006-03-03 13:07 782426 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

-ra------ 2004-11-22 08:18 327680 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WarReg_PopUp]

--a------ 2006-09-23 13:08 81920 c:\acer\WR_PopUp\WarReg_PopUp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

--a------ 2005-05-03 03:43 90112 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

--a------ 2006-06-27 23:54 16266752 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]

--a------ 2006-05-16 03:04 2899968 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"="1"

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\StubInstaller.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 ymkrvdsy;ymkrvdsy;c:\windows\system32\Drivers\ymkrvdsy.sys --> c:\windows\system32\Drivers\ymkrvdsy.sys [?]

R1 mjva;Java VirtualMachine Device;c:\windows\system32\mjva.sys [2009-02-02 8656]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2006-12-26 102712]

S1 ethrywbb;ethrywbb;c:\windows\system32\drivers\ethrywbb.sys [2009-02-02 138496]

S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\eLock2BurnerLockDriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]

S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\eLock2FSCTLDriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2009-01-31 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - ENP.job

- c:\progra~1\NORTON~1\Navw32.exe [2007-05-23 12:13]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.myspace.com/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mStart Page = hxxp://en.us.acer.yahoo.com

uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

LSP: c:\docume~1\ADMINI~1\LOCALS~1\Temp\ntdll64.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-04 20:49:41

Windows 5.1.2600 Service Pack 3 FAT NTAPI

detected NTDLL code modification:

ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\i975gl.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Symantec Shared\SNDSrvc.exe

c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Norton AntiVirus\IWP\NPFMntor.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\dllhost.exe

c:\program files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

.

**************************************************************************

.

Completion time: 2009-02-04 20:51:32 - machine was rebooted

ComboFix-quarantined-files.txt 2009-02-05 01:51:28

ComboFix3.txt 2009-02-01 23:23:52

ComboFix2.txt 2009-02-02 02:04:32

Pre-Run: 24,529,108,992 bytes free

Post-Run: 24,824,872,960 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4

284 --- E O F --- 2009-01-19 03:57:39

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:50:06 PM, on 2/5/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.onlinegis.net/download/MgViewer...AB/mgaxctrl.cab

O20 - Winlogon Notify: i975gl - C:\WINDOWS\SYSTEM32\i975gl.dll

O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE

O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--

End of file - 5045 bytes

Link to post
Share on other sites

  • Root Admin

Well as I'm sure you can see in the logs these core XP files are infected.

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\svchost.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

Combofix looks for replacement files that are not infected but was unable to locate any on your system.

Do you have the original Windows XP CD that came with the computer or that was used to install XP?

Without that CD it's going to be close to impossible to fix this. Even with the CD it may be challenging to fix.

Let me know please.

Link to post
Share on other sites

  • Root Admin

Possibly borrow a CD from a friend or co-worker?

All check around but as I said, even with that disk it might not be easy to fix it now without a re-install but it's possible with the right tools.

Do you have access to another computer running the same version of XP that also has a CD burner?

Link to post
Share on other sites

Possibly borrow a CD from a friend or co-worker?

All check around but as I said, even with that disk it might not be easy to fix it now without a re-install but it's possible with the right tools.

Do you have access to another computer running the same version of XP that also has a CD burner?

my main worry was saving my pictures and documents from the laptop,which i was able to burn to CD tonight,so i am okay with any option at this point.

my PC has XP on it also,but again,i'm not sure where the recovery CD is(blame an unorganized girlfriend on both counts on the lost CDs).i'm pretty sure i can borrow one from one of my coworkers....

so,would a reformat be your suggestion as the easiest,most effective option?

Thanks

Chris

Link to post
Share on other sites

  • Root Admin

Well the best option in my opinion would be an FDISK, Format, and re-install of Windows.

But a few things to consider.

Often new/newer systems now days have a RECOVERY partition built-in on another drive partition that can be used to restore the system back to the way it was when it came from the factory and they don't ship a CD with it.

Even if there is no recovery partition many models have a CD available to purchase for a much lower fee than any other source. Dell, HP, Sony offer this and I'm sure others do as well. I've done a couple of HP systems and they charged like $18 for the recovery CD. You just had to provide some documentation about owning the system.

What make and model is this?

In order to do a wipe and re-install you will need the same type of XP CD as the one that was installed and the Certificate of Authenticity with the full XP installation key or you won't be able to install it.

Now, this doesn't mean that we can't repair it, but that it certainly will take a bit more work to repair it.

Let me know what your thoughts are and we can go from there.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.