Jump to content

svchost.exe error after running Malwarebytes 1.46 to remove viruses


Recommended Posts

I am receiving this error:

Faulting application svchost.exe, version 5.1.2600.5512, faulting module ntdll.dll, version 5.1.2600.5755, fault address 0x00023845.

after I ran malwarebytes ver 1.46. It cleaned up all the viruses but I have this problem now. Does anyone know how to fix without reinstalled Windows.

Link to post
Share on other sites

I am receiving this error:

Faulting application svchost.exe, version 5.1.2600.5512, faulting module ntdll.dll, version 5.1.2600.5755, fault address 0x00023845.

after I ran malwarebytes ver 1.46. It cleaned up all the viruses but I have this problem now. Does anyone know how to fix without reinstalled Windows.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4628

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

9/16/2010 12:42:56 PM

mbam-log-2010-09-16 (12-42-56).txt

Scan type: Full scan (C:\|)

Objects scanned: 322100

Time elapsed: 3 hour(s), 27 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 8

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\Documents and Settings\hallp\Local Settings\Temp\BEA.tmp (Trojan.Dropper) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuri49tkd (Worm.KoobFace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\hallp\Local Settings\Temp\BEA.tmp (Trojan.Dropper) -> Delete on reboot.

C:\Documents and Settings\hallp\Local Settings\Temp\BEC.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\hallp\Local Settings\Temp\zpskon_1284594290.exe (Worm.Koobface) -> Quarantined and deleted successfully.

C:\Documents and Settings\hallp\Local Settings\Application Data\010155555710297.xxe (Worm.KoobFace) -> Quarantined and deleted successfully.

C:\Documents and Settings\hallp\Local Settings\Application Data\04856521005251.xxe (Worm.KoobFace) -> Quarantined and deleted successfully.

C:\Documents and Settings\hallp\Local Settings\Application Data\05710298499948.xxe (Worm.KoobFace) -> Quarantined and deleted successfully.

C:\WINDOWS\bk23567.dat (KoobFace.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\fdgg34353edfgdfdf (KoobFace.Trace) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4628

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

9/16/2010 12:42:56 PM

mbam-log-2010-09-16 (12-42-56).txt

Scan type: Full scan (C:\|)

Objects scanned: 322100

Time elapsed: 3 hour(s), 27 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 8

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\Documents and Settings\hallp\Local Settings\Temp\BEA.tmp (Trojan.Dropper) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xuri49tkd (Worm.KoobFace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\hallp\Local Settings\Temp\BEA.tmp (Trojan.Dropper) -> Delete on reboot.

C:\Documents and Settings\hallp\Local Settings\Temp\BEC.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\hallp\Local Settings\Temp\zpskon_1284594290.exe (Worm.Koobface) -> Quarantined and deleted successfully.

C:\Documents and Settings\hallp\Local Settings\Application Data\010155555710297.xxe (Worm.KoobFace) -> Quarantined and deleted successfully.

C:\Documents and Settings\hallp\Local Settings\Application Data\04856521005251.xxe (Worm.KoobFace) -> Quarantined and deleted successfully.

C:\Documents and Settings\hallp\Local Settings\Application Data\05710298499948.xxe (Worm.KoobFace) -> Quarantined and deleted successfully.

C:\WINDOWS\bk23567.dat (KoobFace.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\fdgg34353edfgdfdf (KoobFace.Trace) -> Quarantined and deleted successfully.

This more of the viruses that were found on my pc detected by Symantec AV

Security Risk Found!Trojan.Gen in File: C:\WINDOWS\andy128.exe by: Auto-Protect scan. Action: Clean failed : Quarantine failed. Action Description: The file was left unchanged.

Link to post
Share on other sites

Hi,

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:
    Click me
    If you can't disable them then just continue on.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Link to post
Share on other sites

Hi,

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:
    Click me
    If you can't disable them then just continue on.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Hey There. I ran the comboxfix.exe and I have attached the log.txt file for your review.

log.txt

Link to post
Share on other sites

Hi,

Please do not attach your logs as it is harder for me to read them that way. Post them instead:

ComboFix 10-09-27.05 - 164937 09/28/2010 10:27:50.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.453 [GMT -4:00]

Running from: c:\documents and settings\hallp\Desktop\ComboFix.exe

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\hallp\g2mdlhlpx.exe

c:\program files\INSTALL.LOG

c:\windows\AutoRun.ini

c:\windows\Client.ini

Infected copy of c:\windows\system32\drivers\disk.sys was found and disinfected

Restored copy from - Kitty had a snack :blink:

.

((((((((((((((((((((((((( Files Created from 2010-08-28 to 2010-09-28 )))))))))))))))))))))))))))))))

.

2010-09-24 19:05 . 2010-09-24 19:05 -------- d-----w- c:\temp\subscribehome.com

2010-09-24 16:51 . 2010-09-24 16:51 -------- d-----w- c:\documents and settings\hallp\Application Data\GetRightToGo

2010-09-23 13:35 . 2010-09-23 13:35 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2010-09-23 13:35 . 2010-09-23 13:35 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2010-09-22 19:10 . 2010-09-22 19:10 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2010-09-22 19:10 . 2010-09-22 19:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!

2010-09-22 19:08 . 2010-09-22 19:10 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google

2010-09-22 19:08 . 2010-09-22 19:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-09-22 19:06 . 2010-09-23 17:25 -------- d-----w- c:\documents and settings\Administrator\Tracing

2010-09-22 19:04 . 2010-09-22 19:04 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2010-09-22 19:02 . 2008-04-14 04:09 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys

2010-09-22 19:02 . 2008-04-14 04:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2010-09-22 19:01 . 2001-08-17 17:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys

2010-09-22 19:01 . 2001-08-17 17:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2010-09-22 19:01 . 2008-04-14 04:15 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys

2010-09-22 19:01 . 2008-04-14 04:15 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

2010-09-22 15:10 . 2010-09-22 15:11 -------- d-----w- c:\program files\Common Files\Adobe

2010-09-16 12:57 . 2010-09-16 12:57 -------- d-----w- c:\documents and settings\hallp\Application Data\Malwarebytes

2010-09-16 12:56 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-16 12:56 . 2010-09-16 12:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-09-16 12:56 . 2010-09-16 12:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-16 12:56 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-15 16:30 . 2010-09-27 21:35 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-09-15 15:52 . 2010-09-15 15:52 -------- d-----w- C:\liveupdate

2010-09-15 15:47 . 2010-09-15 15:48 -------- d-----w- C:\livemeeting

2010-09-09 13:43 . 2010-06-01 15:44 3907584 ----a-w- c:\documents and settings\hallp\Application Data\Mozilla\Firefox\Profiles\vrcq3juq.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll

2010-09-09 13:43 . 2010-01-25 15:58 462848 ----a-w- c:\documents and settings\hallp\Application Data\Mozilla\Firefox\Profiles\vrcq3juq.default\extensions\LogMeInClient@logmein.com\plugins\ractrlkeyhook.dll

2010-09-09 13:43 . 2010-01-15 18:26 70984 ----a-w- c:\documents and settings\hallp\Application Data\Mozilla\Firefox\Profiles\vrcq3juq.default\extensions\LogMeInClient@logmein.com\plugins\LMIProxyHelper.exe

2010-09-09 13:43 . 2010-01-15 18:25 864256 ----a-w- c:\documents and settings\hallp\Application Data\Mozilla\Firefox\Profiles\vrcq3juq.default\extensions\LogMeInClient@logmein.com\plugins\LMIGuardianDll.dll

2010-09-09 13:43 . 2010-01-15 18:25 315392 ----a-w- c:\documents and settings\hallp\Application Data\Mozilla\Firefox\Profiles\vrcq3juq.default\extensions\LogMeInClient@logmein.com\plugins\LMIGuardianEvt.dll

2010-09-09 13:43 . 2010-01-15 18:25 372736 ----a-w- c:\documents and settings\hallp\Application Data\Mozilla\Firefox\Profiles\vrcq3juq.default\extensions\LogMeInClient@logmein.com\plugins\LMIGuardian.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-24 21:15 . 2006-08-02 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-09-24 17:26 . 2006-08-02 21:08 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-09-23 13:37 . 2006-07-13 21:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2010-09-23 13:35 . 2006-07-13 21:55 -------- d-----w- c:\program files\Symantec

2010-09-23 13:35 . 2010-09-23 13:35 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF

2010-09-23 13:35 . 2010-09-23 13:35 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT

2010-09-23 13:35 . 2006-07-13 21:54 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-09-23 12:49 . 2006-07-13 21:54 -------- d-----w- c:\program files\Symantec AntiVirus

2010-09-22 19:30 . 2006-07-21 13:48 -------- d-----w- c:\program files\Yahoo!

2010-09-22 19:24 . 2010-09-22 19:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\MSNInstaller

2010-09-22 19:22 . 2006-07-21 14:15 -------- d-----w- c:\program files\Common Files\AOL

2010-09-22 19:22 . 2006-12-18 14:47 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL

2010-09-22 19:19 . 2008-11-19 14:35 -------- d-----w- c:\program files\AIM Toolbar

2010-09-22 19:18 . 2006-12-21 20:06 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-09-22 19:18 . 2008-02-04 21:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2010-09-09 13:50 . 2007-11-29 18:12 -------- d-----w- c:\documents and settings\hallp\Application Data\WebEx

2010-08-24 00:03 . 2006-07-19 19:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-08-17 13:17 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-13 17:08 . 2007-11-28 17:56 -------- d-----w- c:\program files\SecureCRT

2010-08-11 15:14 . 2006-07-19 18:56 72024 ----a-w- c:\documents and settings\hallp\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-08-05 06:25 . 2006-07-12 13:57 87263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2010-07-22 15:49 . 2004-08-04 10:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2010-07-22 05:57 . 2009-04-15 04:25 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-07-14 16:32 . 2010-07-14 16:32 516784 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtbEC0.tmp.exe

2005-11-15 19:32 . 2005-11-15 19:32 3638 ----a-r- c:\program files\Common Files\Altiris_Icon.ico

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlay1EXL600]

@="{BF9B13E4-FE9B-4121-853F-866F4E9E2830}"

[HKEY_CLASSES_ROOT\CLSID\{BF9B13E4-FE9B-4121-853F-866F4E9E2830}]

2007-06-23 02:03 598016 ----a-w- c:\windows\system32\FPAP-EXL600\FileptcIconOverlay.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-12-01 4662776]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-23 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]

"AeXAgentLogon"="c:\program files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2009-04-30 153416]

"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2009-12-12 5114208]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-07-13 286720]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-12-17 115560]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]

"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

c:\documents and settings\hallp\Start Menu\Programs\Startup\

DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]

"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\AMInit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1865380466-2370931803-2352427685-16551\Scripts\Logon\0\0]

"Script"=loginscript_it01.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1865380466-2370931803-2352427685-30326\Scripts\Logon\0\0]

"Script"=loginscript_it01.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3670881935-3756027793-3498361200-1207\Scripts\Logon\0\0]

"Script"=loginscript_it01.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NMPSystray.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NMPSystray.lnk

backup=c:\windows\pss\NMPSystray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]

c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intellisync Handheld Launcher]

2006-12-18 05:49 1558224 ----a-w- c:\program files\Intellisync Corporation\Intellisync Handheld Edition\ishhlauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

2005-06-10 14:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

2005-06-10 14:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MbWzdFPAP-EXL600]

2007-06-25 09:43 997888 ----a-w- c:\windows\system32\FPAP-EXL600\PdtGuide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPMEnroll]

2009-03-30 20:43 147248 ----a-w- c:\windows\system32\QPMEnroll.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2007-07-13 14:14 286720 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2007-10-05 07:32 75256 ----a-w- c:\program files\Java\jre1.5.0_14\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 CCDevice;CCDevice;c:\windows\system32\drivers\CCDevice.sys [3/7/2007 3:22 PM 9216]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/5/2007 10:35 AM 24652]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/10/2010 5:10 AM 102448]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/17/2010 11:24 AM 135664]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [12/17/2009 9:11 AM 23888]

S3 Vmover.exe;Quest Resource Updating Agent;c:\windows\system32\Vmover.exe [11/8/2008 10:15 AM 983040]

S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{3D82B0C3-AAFA-400E-B2D1-46B7AD38AB8C}]

2006-06-29 11:00 99920 ----a-w- c:\program files\Hummingbird\Connectivity\12.00\Accessories\HumSettings.exe

.

Contents of the 'Scheduled Tasks' folder

2010-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-17 15:24]

2010-09-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-17 15:24]

2010-09-27 c:\windows\Tasks\User_Feed_Synchronization-{38A8E1D2-DA67-40B8-85FC-2E36C39F372E}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.ssc.nytimes.com/

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - hxxps://conference.oracle.com/imtapp/res/jar/cnsload.cab

DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED}

DPF: {1A1F0774-EDE6-4255-A411-B2A730D6A6DD} - hxxp://www.bravaviewer.com/install/BravaReader/setup.exe

DPF: {37775067-8350-11D4-A7DA-00C04F14FB69} - hxxp://pvcs.nytssc.com/trackdoc/trkpm660ie.cab

DPF: {CCF028C4-4631-11D3-90BD-00A0C9B727E1} - hxxp://pvcs.nytssc.com/vminet_images/vmi660ie.cab

FF - ProfilePath - c:\documents and settings\hallp\Application Data\Mozilla\Firefox\Profiles\vrcq3juq.default\

FF - plugin: c:\documents and settings\hallp\Application Data\Mozilla\Firefox\Profiles\vrcq3juq.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll

FF - plugin: c:\documents and settings\hallp\Local Settings\Application Data\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll

FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll

FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Java\jre1.5.0_14\bin\NPJPI150_14.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe

HKCU-Run-Aim6 - (no file)

HKLM-Run-xuri49tkd - c:\windows\andy128.exe

Notify-NavLogon - (no file)

SafeBoot-Symantec Antvirus

MSConfigStartUp-xuri49tkd - c:\windows\andy128.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-28 10:40

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)

c:\windows\system32\prm_gina.dll

c:\windows\system32\WININET.dll

- - - - - - - > 'winlogon.exe'(2492)

c:\windows\system32\prm_gina.dll

c:\windows\system32\WININET.dll

.

Completion time: 2010-09-28 10:51:11

ComboFix-quarantined-files.txt 2010-09-28 14:51

Pre-Run: 21,588,295,680 bytes free

Post-Run: 32,601,952,256 bytes free

- - End Of File - - E76E20432E4E2E370828B256A653A7C9

Link to post
Share on other sites

I appear to be having an identical problem. I am also running symantec av and it found the same RootKit.gen Trojan. The offset address with ntdll.dll is also the same. What can I do to make this diagnosis easier?

Thanks!

I want to let you know that this combofix.exe fixed the problem. I did however run another scan and it found 3 more virus files but cleaned the up. Thank you all very much for your help. Most appreciated.

Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.