Jump to content

Did I do it?

Confuzzed
 Share

Recommended Posts

Confuzzed

Confuzzed

Posted
Posted

I think I did it, almost. I had a few virus' and at one time a backdoor.bot, went throught the self help section to work it out. I think I got it. The computer is scanning clean (although it too a number of days). Both the disk.sys and atapi.sys were infected. About the only problem I still seem to have is the computer does not want to close outlook completely and is having problems shutting down from the Start Menu.

Any thoughts would be appreciated.

DDS (Ver_10-03-17.01) - NTFSx86

Run by Lawson at 11:31:56.64 on Mon 05/17/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2794 [GMT -7:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

c:\Program Files\Microsoft Security Essentials\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\WTouch\WTouchService.exe

svchost.exe

svchost.exe

C:\WINDOWS\System32\iscsiexe.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\WTouch\WTouchUser.exe

svchost.exe

C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Drobo\Drobo Dashboard\Support\DDService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\NDAS\System\ndassvc.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\Pen_Tablet.exe

C:\Program Files\Live Mesh\Remote Desktop\wlcrasvc.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe

C:\WINDOWS\system32\Pen_Tablet.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\WINDOWS\system32\taskswitch.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Internet Download Manager\IDMan.exe

C:\Documents and Settings\Lawson\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\MICROS~3\rapimgr.exe

C:\Program Files\Drobo\Drobo Dashboard\DroboDashboard.exe

C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\NDAS\System\ndasmgmt.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Documents and Settings\Lawson\Local Settings\Application Data\Microsoft\Live Mesh\GacBase\Moe.exe

C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe

C:\Program Files\Southwest Airlines\Ding\Ding.exe

C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe

C:\Program Files\Internet Download Manager\IEMonitor.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Documents and Settings\Lawson\Desktop\Temp1\dds.EXE

============== Pseudo HJT Report ===============

uStart Page = about:blank

uInternet Settings,ProxyOverride = *.local

BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"

uRun: [iDMan] c:\program files\internet download manager\IDMan.exe /onboot

uRun: [MoeMonitor.exe] "c:\documents and settings\lawson\local settings\application data\microsoft\live mesh\bin\servicing\0.9.4014.7\MoeMonitor.exe"

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"

mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey

StartupFolder: c:\docume~1\lawson\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\conver~1.lnk - c:\program files\pfu\scansnap\organizer\PfuSsOrgOcrChk.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\drobod~1.lnk - c:\program files\drobo\drobo dashboard\DroboDashboard.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ndasde~1.lnk - c:\program files\ndas\system\ndasmgmt.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\scansn~1.lnk - c:\program files\pfu\scansnap\driver\PfuSsMon.exe

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm

IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm

IE: Download with IDM - c:\program files\internet download manager\IEExt.htm

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238108135196

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238176636093

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} - hxxps://www.mesh.com/0.9.4014.28/TSWeb.cab

DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} - hxxps://oca.microsoft.com/en/secure/ocarpt.CAB

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://linksyssupport.webex.com/client/T26L10NSP49EP32-linksyssupport/support/ieatgpc.cab

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

Notify: wlcrdplauncher - c:\program files\live mesh\remote desktop\wlcrdplauncher.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 lfsfilt;NDAS Lean File Sharing Service;c:\windows\system32\drivers\lfsfilt.sys [2009-2-7 274920]

R0 lpx;LPX Protocol;c:\windows\system32\drivers\lpx.sys [2009-2-7 100840]

R0 ndasfs;ndasfs;c:\windows\system32\drivers\ndasfs.sys [2009-2-7 285160]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]

R1 ndasfat;NDAS FAT File System Service;c:\windows\system32\drivers\ndasfat.sys [2009-2-7 416232]

R1 ndasrofs;NDAS ROFS File System Service;c:\windows\system32\drivers\ndasrofs.sys [2009-2-7 783848]

R2 DDService;Drobo Dashboard Service;c:\program files\drobo\drobo dashboard\support\DDService.exe [2010-3-19 704512]

R2 MSiSCSI;Microsoft iSCSI Initiator Service;c:\windows\system32\iscsiexe.exe [2008-11-13 103480]

R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2010-2-18 4408616]

R2 wlcrasvc;Live Mesh Remote Desktop;c:\program files\live mesh\remote desktop\wlcrasvc.exe [2010-2-17 44880]

R2 WTouchService;WTouch Service;c:\program files\wtouch\WTouchService.exe [2010-2-18 112936]

R3 iScsiPrt;iScsiPort Driver;c:\windows\system32\drivers\msiscsi.sys [2008-11-13 158264]

R3 ndasbus;NDAS Bus Driver;c:\windows\system32\drivers\ndasbus.sys [2009-2-7 121320]

R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2009-3-26 39456]

R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [2010-2-17 9040]

R3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [2010-2-17 19408]

R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2010-2-18 15656]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-16 133104]

S3 ndasscsi;NDAS SCSI Miniport Driver;c:\windows\system32\drivers\ndasscsi.sys [2009-2-7 276968]

S3 TVService;TVService;c:\program files\team mediaportal\mediaportal tv server\TvService.exe [2009-5-8 192512]

============== File Associations ===============

.scr=DWGTrueViewScriptFile

=============== Created Last 30 ================

2010-05-15 00:23:13 0 ----a-w- c:\documents and settings\lawson\defogger_reenable

2010-05-14 23:22:41 0 d-----w- c:\program files\Runtime Software

2010-05-14 21:58:49 36352 -c--a-w- c:\windows\system32\dllcache\disk.sys

2010-05-14 21:58:49 36352 ----a-w- c:\windows\system32\drivers\disk.sys

2010-05-14 21:55:46 98816 ----a-w- c:\windows\sed.exe

2010-05-14 21:55:46 77312 ----a-w- c:\windows\MBR.exe

2010-05-14 21:55:46 256512 ----a-w- c:\windows\PEV.exe

2010-05-14 21:55:46 161792 ----a-w- c:\windows\SWREG.exe

2010-05-14 21:15:48 0 d-sha-r- C:\cmdcons

2010-05-14 21:15:46 0 d-----w- c:\windows\setup.pss

2010-05-14 21:15:36 0 d-----w- c:\windows\setupupd

2010-05-14 16:25:21 3245 ----a-w- c:\windows\system32\wbem\Outlook_01caf3820c855766.mof

2010-05-14 02:49:39 0 d-----w- c:\windows\system32\wbem\Repository

2010-05-14 01:16:18 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys

2010-05-14 01:16:18 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys

2010-05-14 01:15:52 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys

2010-05-14 01:15:52 8192 ----a-w- c:\windows\system32\drivers\changer.sys

2010-05-13 16:36:47 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-13 16:33:15 0 d-----w- c:\program files\Microsoft Security Essentials

2010-05-13 16:27:50 0 d-----w- C:\60d349ba54d46634af

2010-05-13 00:50:07 0 d-----w- c:\docume~1\lawson\applic~1\Malwarebytes

2010-05-13 00:49:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-13 00:49:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-13 00:49:58 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-13 00:49:58 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-05-12 00:16:02 0 d-----w- c:\program files\Remove Empty Directories

2010-05-11 20:06:51 0 d-----w- c:\program files\Microsoft LifeCam

2010-05-11 20:06:40 0 d-----w- c:\windows\Logs

2010-04-30 16:29:05 0 d-----w- c:\program files\iPod

2010-04-30 16:29:01 0 d-----w- c:\program files\iTunes

2010-04-30 16:25:48 0 d-----w- c:\program files\Bonjour

2010-04-27 13:30:30 210352 ----a-w- c:\windows\system32\idmmbc.dll

==================== Find3M ====================

2010-05-14 21:45:46 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-04-08 20:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 20:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-03-25 22:19:28 74756 ---ha-w- c:\windows\system32\mlfcache.dat

2010-03-15 23:02:39 137195 ----a-w- c:\windows\fonts\AdobeFnt08.lst

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-17 23:34:07 15696 ----a-w- c:\windows\system32\rdpvdd.dll

2010-02-17 23:34:07 118736 ----a-w- c:\windows\system32\rdpdispd.dll

2009-10-21 01:21:18 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 11:32:13.71 ===============

Attach.zip

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites
Confuzzed

Confuzzed

Posted
  • Author
Posted

The MBAM comes up clean and I have previously run the Combofix. Also the MS Security Essentials comes up clean. About the only thing left to turn on the CDROM emulation software using Defogger.

The computer now seems to be shutting down ok, it just does not want to boot with a USB drive installed.

Thoughts?

Link to post
Share on other sites
  • 2 weeks later...
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.