Jump to content

Browser Hangs - Can't get into Safe Mode


Recommended Posts

After the problem first appeared I ran mbam and it found and fixed it, I thought. Problem reappeared a bit later. Ran mbam again and it found and fixed more problems. Ran mbam again and it could not find any more problems.

Suppose to be clean, but computer is still having issues so I have run the other scans you requested and am hoping you can fix this. Have attached the logs requested plus the logs from the two times mbam found problems. Thank you for all your help.

Here's the DDS log:

DDS (Ver_09-12-01.01) - NTFSx86

Run by owner at 14:44:39.03 on Wed 01/20/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2560 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\Yahoo!\Common\YMailAdvisor.exe

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com

uStart Page = hxxp://www.yahoo.com

uSearch Bar = hxxp://www.google.com/ie

mDefault_Page_URL = hxxp://www.yahoo.com

mDefault_Search_URL = hxxp://www.google.com/ie

mSearch Page = hxxp://www.google.com

mStart Page = hxxp://www.yahoo.com

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

mSearchAssistant = hxxp://www.google.com

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

uRun: [search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe

uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe

mRun: [CTHelper] CTHELPER.EXE

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [DelReg] c:\program files\msi\dualcorecenter\DelReg.exe

mRun: [YMailAdvisor] "c:\program files\yahoo!\common\YMailAdvisor.exe"

mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dualco~1.lnk - c:\program files\msi\dualcorecenter\StartUpDualCoreCenter.exe

uPolicies-system: EnableProfileQuota = 1 (0x1)

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab

DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://www.creative.com/softwareupdate/su/ocx/15101/CTSUEng.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su/ocx/15106/CTPID.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: avgrsstarter - avgrsstx.dll

AppInit_DLLs: c:\windows\system32\avgrsstx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-10 335240]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-10 27784]

R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-12-10 908056]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-10 297752]

R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]

R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]

R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]

S1 242355B7F;242355B7F;c:\windows\system32\drivers\242355B7F.sys [2010-1-16 72192]

S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-10 108552]

S1 SASDIFSV;SASDIFSV;\??\e:\superantispyware\sasdifsv.sys --> e:\superantispyware\SASDIFSV.SYS [?]

S1 SASKUTIL;SASKUTIL;\??\e:\superantispyware\saskutil.sys --> e:\superantispyware\SASKUTIL.sys [?]

S1 Udp;Udp;c:\windows\system32\drivers\Udp.sys [2010-1-19 0]

S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]

S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]

S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]

S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]

S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]

S3 SASENUM;SASENUM;\??\e:\superantispyware\sasenum.sys --> e:\superantispyware\SASENUM.SYS [?]

=============== Created Last 30 ================

2010-01-20 22:40:20 0 ----a-w- c:\documents and settings\owner\defogger_reenable

2010-01-20 20:50:35 0 ----a-w- c:\windows\system32\drivers\??.sys

2010-01-20 14:11:36 0 ----a-w- c:\windows\system32\drivers\.sys

2010-01-19 22:10:55 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com

2010-01-19 22:10:55 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2010-01-19 22:08:15 0 ----a-w- c:\windows\system32\drivers\Udp.sys

2010-01-17 06:13:13 72192 ----a-w- c:\windows\system32\drivers\242355B7F.sys

2010-01-16 22:03:43 212 ----a-w- c:\windows\system32\16827.exe

2010-01-16 21:43:42 212 ----a-w- c:\windows\system32\23281.exe

2010-01-16 21:23:41 212 ----a-w- c:\windows\system32\28145.exe

2010-01-16 21:03:41 212 ----a-w- c:\windows\system32\5705.exe

2010-01-16 20:43:40 212 ----a-w- c:\windows\system32\24464.exe

2010-01-16 20:23:40 0 ----a-w- c:\windows\system32\26962.exe

2010-01-16 20:03:09 212 ----a-w- c:\windows\system32\29358.exe

2010-01-16 19:43:09 0 ----a-w- c:\windows\system32\11478.exe

2010-01-16 19:23:08 166 ----a-w- c:\windows\system32\15724.exe

2010-01-16 18:43:00 0 ----a-w- c:\windows\system32\26500.exe

2010-01-16 16:45:17 1 ----a-w- C:\s

2010-01-13 00:53:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2010-01-18 21:45:44 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-01-17 06:13:12 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-01-08 00:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-08 00:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-29 21:34:50 262144 ----a-w- C:\ntuser.dat

2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll

2009-07-24 09:16:39 15193 ----a-w- c:\program files\common files\ejab.lib

2009-07-24 09:16:39 12383 ----a-w- c:\program files\common files\udapok.dat

2008-10-03 07:14:50 420144 ----a-w- c:\program files\GPU-Z.0.2.8.exe

2008-06-28 19:57:58 6602240 ----a-w- c:\program files\mplayerc.exe

============= FINISH: 14:45:46.28 ===============

Attach.zip

mbam_logs.zip

Link to post
Share on other sites

Hello RustyNail

Welcome to Malwarebytes.

=====================

One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Link to post
Share on other sites

Looks like we got bit good. This computer was running and online for at least 24 hours after it got hit. It belongs to a friend. I took it offline as soon as I discovered the problem. I used another computer to get the scan software and transfer it with a USB stick. It's been shutdown since I scanned it, waiting for you report.

We have changed any passwords that might have been compromised. This computer is on a small Win XP workgroup network and I am wondering if this bug would have traveled over the network to the other computers? None of them are showing any signs and they have all passed a scan with mbam.

I'm going to wipe the hard drive and do a fresh os install like you recommended. Should I use one of those secure delete programs or will a partition delete and re-format do the trick?

From now on I will suggest to my friend that he only only log on as a user type account rather than as an admin type. Hopefully this will keep these bugs out of his computer.

Sincerely appreciate your help in reviewing our problem.

Art

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.