Jump to content

Recommended Posts

Hello,

I think my machine may have been infected recently and I haven't had any luck figuring out the problems so far. The symptoms I've seen are:

- The computer crashes without warning; it just locks up to all mouse/keyboard input and starts beeping, and I have to power the machine off to restart it. The amount of uptime varies, from ~10 minutes to about an hour so far.

- The disk access light is flashing constantly while the computer is on, even when I'm not doing anything.

- Firefox freezes at "Loading..." when it starts up and will no longer load. Other browsers (Chrome, IE) are still working so far. I was able to run Firefox in safe mode, though.

So far I have tried the following steps:

- ran MBAM without detecting any problems; log appended below

- ran DeFogger to disable CD-ROM emulation - no errors; log appended below

- ran DDS - DDS.txt is appended below; attach.txt is included in the attached zip file

- ran GMER - the computer blue-screened in the middle of this process; should I try to run it again, maybe try to run it from safe mode?

thanks for any advice!

----

contents of the MBAM log:

Malwarebytes' Anti-Malware 1.44

Database version: 3750

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

2/17/2010 8:55:46 AM

mbam-log-2010-02-17 (08-55-46).txt

Scan type: Quick Scan

Objects scanned: 130324

Time elapsed: 4 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

----

contents of defogger_disable.log:

defogger_disable by jpshortstuff (29.01.10.1)

Log created at 09:00 on 17/02/2010 (Daniel)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

----

contents of DDS.txt:

DDS (Ver_09-12-01.01) - NTFSx86

Run by Daniel at 9:01:49.85 on Wed 02/17/2010

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1586 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Java\jre6\bin\jusched.exe

svchost.exe

C:\Program Files\FolderSize\FolderSizeSvc.exe

C:\Program Files\LogMeIn Hamachi\hamachi-2.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Daniel\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Daniel\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStarts Page = hxxp://cnn.com/

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program

files\java\jre6\bin\jp2ssv.dll

uRun: [Google Update] "c:\documents and settings\daniel\local settings\application

data\google\update\GoogleUpdate.exe" /c

mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft

office\office10\OSA.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} -

hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://wbi.sas.com/dana-cached/setup/JuniperSetupSP1.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web

folders\PKMCDO.DLL

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\daniel\applic~1\mozilla\firefox\profiles\219zabqo.default\

FF - prefs.js: browser.startup.homepage - hxxp://cnn.com

FF - component: c:\documents and settings\daniel\application

data\mozilla\firefox\profiles\219zabqo.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.

dll

FF - plugin: c:\documents and settings\daniel\local settings\application

data\google\update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -

c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: capability.policy.policynames - localfilelinks

FF - user.js: capability.policy.localfilelinks.sites - hxxp://s1.travian.com http://s2.travian.com

http://s3.travian.com http://s4.travian.com http://s5.travian.com http://s6.travian.com http://s7.travian.com

http://s8.travian.com http://s9.travian.com http://s10.travian.com http://speed.travian.com http://s1.travian.us

http://s2.travian.us http://s3.travian.us http://s4.travian.us http://s5.travian.us http://s6.travian.us

http://s7.travian.us http://s8.travian.us http://s9.travian.us http://s10.travian.us http://speed.travian.us

http://s1.travian.co.uk http://s2.travian.co.uk http://s3.travian.co.uk http://s4.travian.co.uk

http://s5.travian.co.uk http://s6.travian.co.uk http://s7.travian.co.uk http://s8.travian.co.uk

http://s9.travian.co.uk http://s10.travian.co.uk http://speed.travian.co.uk

FF - user.js: capability.policy.localfilelinks.checkloaduri.enabled - allAccessc:\program files\mozilla

firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-9 64288]

R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2009-10-29

1074568]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2

1181328]

=============== Created Last 30 ================

2010-02-17 14:00:21 0 ----a-w- c:\documents and settings\daniel\defogger_reenable

2010-02-17 07:06:28 0 d-----w- c:\windows\system32\LogFiles

2010-02-17 06:45:49 98816 ----a-w- c:\windows\sed.exe

2010-02-17 06:45:49 77312 ----a-w- c:\windows\MBR.exe

2010-02-17 06:45:49 261632 ----a-w- c:\windows\PEV.exe

2010-02-17 06:45:49 161792 ----a-w- c:\windows\SWREG.exe

2010-02-06 14:15:38 0 d-----w- c:\program files\gzip

2010-02-05 23:35:58 120 ----a-w- c:\windows\Vficazeti.dat

2010-02-05 23:35:58 0 ----a-w- c:\windows\Qsagada.bin

2010-02-04 02:50:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-04 02:50:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-24 22:16:57 0 d-----w- c:\program files\wtvclient

==================== Find3M ====================

2010-01-24 22:11:32 122639 ----a-w- c:\windows\War3Unin.dat

2010-01-04 03:38:22 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-24 06:34:40 1060864 ----a-w- c:\windows\system32\MFC71.dll

2009-12-22 05:21:05 667136 ------w- c:\windows\system32\wininet.dll

2009-12-22 05:20:58 81920 ----a-w- c:\windows\system32\ieencode.dll

2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\ntkrnlpa.exe

2009-12-02 13:19:04 15880 ----a-w- c:\windows\system32\lsdelete.exe

2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll

2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll

============= FINISH: 9:02:13.87 ===============

----

Attach.zip

Link to post
Share on other sites

  • 4 weeks later...
  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.