Jump to content

got hello4 and associated - help Pls


Recommended Posts

I've forgotten how to proceed

get error: RUNDLL - Error in InetCpl.cpl missing entry Clear My Tracks Process

HJT:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:18:07 AM, on 5/5/2011

End of file - 16925 bytes

I've forgotten how to proceed

get error: RUNDLL - Error in InetCpl.cpl missing entry Clear My Tracks Process

HJT:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:18:07 AM, on 5/5/2011

End of file - 16925 bytes

Read thru the sticky.

I've run Malwarebytes updater - success

Downloaded defogger - run it - whatever it is won't let Windows shut down or restart.

It's grip on my computer is very tenacious.

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

Link to post
Share on other sites

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

Thanks Chris,

Getting pop up screens but here (hopefully) are what you/we need

mbam-log-2011-05-08 (03-17-39).txt

DDS.txt

DBH

Link to post
Share on other sites

Thanks Chris,

Getting pop up screens but here (hopefully) are what you/we need

mbam-log-2011-05-08 (03-17-39).txt

DDS.txt

DBH

Maybe like this ?

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by 2Hundred at 3:20:21.00 on Sun 05/08/2011

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_12

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1527.382 [GMT -4:00]

.

FW: ZoneAlarm Pro Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Nhksrv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\WINDOWS\MMKeybd.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\WinFast\WFTVFM\WFWIZ.exe

C:\program files\real\realplayer\update\realsched.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Logitech\Video\ManifestEngine.exe

C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE

C:\WINDOWS\MMKeybd .exe

C:\Program Files\WinFast\WFTVFM\WFWIZ .exe

C:\Program Files\Microsoft IntelliType Pro\itype .exe

C:\program files\real\realplayer\update\realsched .exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam .exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\SysMetrix\SysMetrix.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Documents and Settings\2Hundred\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = localhost;*.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mWinlogon: Userinit=userinit.exe,

BHO: Shareaza Web Download Hook: {0eedb912-c5fa-486f-8334-57288578c627} - c:\program files\shareaza\RazaWebHook32.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No File

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll

uRun: [Power2GoExpress] "c:\program files\logitech\video\ManifestEngine.exe" boot

uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot

uRun: [ATI Launchpad]

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [Active Desktop Calendar] c:\program files\xemicomputers\active desktop calendar\ADC .exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [CD Autorun] c:\program files\tweaknow powerpack 2010\CDAuto.exe

mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [<NO NAME>]

mRun: [WinFast Schedule] c:\program files\winfast\wftvfm\WFWIZ.exe

mRun: [sysMetrix] c:\program files\sysmetrix\SysMetrix.exe

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [Nikon Message Center 2] c:\program files\nikon\nikon message center 2\NkMC2.exe -s

mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [DellTouch] c:\windows\MMKeybd.exe

mRun: [sysMetrix ] c:\program files\sysmetrix\SysMetrix .exe

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam .exe" /runcleanupscript

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

uPolicies-explorer: <NO NAME> =

IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Download with &Shareaza - c:\program files\shareaza\RazaWebHook32.dll/3000

IE: Download with PodWorks Platinum - c:\program files\imtoo\podworks platinum\upod_link.HTM

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\tv\EXPLBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1276357206425

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1302871843890

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

STS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - c:\program files\stardock\fences\FencesMenu.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\2hundred\applic~1\mozilla\firefox\profiles\s82rejoa.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50-ff-shoutcast-chromesbox-en-us&query=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.dailyrotten.com/

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50-ff-shoutcast-ab-en-us&query=

FF - component: c:\documents and settings\2hundred\application data\mozilla\firefox\profiles\s82rejoa.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll

FF - component: c:\documents and settings\2hundred\application data\mozilla\firefox\profiles\s82rejoa.default\extensions\{12e4c684-c03e-4e4d-85bc-0c065e7a9489}\components\WinampPlayer.dll

FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll

FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

.

---- FIREFOX POLICIES ----

.

FF - user.js: browser.sessionstore.resume_from_crash - false

.

============= SERVICES / DRIVERS ===============

.

R0 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [2007-11-29 10368]

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-1-2 394952]

R2 CLBUDF;CyberLink InstantBurn UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [2007-11-29 153728]

R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2010-6-18 3712]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-5-22 363344]

R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-8-11 30208]

R2 Nhksrv;Netropa NHK Server;c:\windows\Nhksrv.exe [2009-4-24 28672]

R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2003-12-17 651264]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-5-22 20952]

R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [2009-4-24 6942]

R3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-8-11 224768]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101018.002\NAVENG.sys [2010-11-29 86064]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101018.002\NAVEX15.sys [2010-11-29 1371184]

R3 WFIOCTL;WFIOCTL;c:\program files\winfast\wftvfm\WFIOCTL.sys [2010-6-18 9446]

S2 AutoExNT;AutoExNT;c:\windows\system32\Autoexnt.exe [1999-2-13 5904]

S2 gupdate1c9a3cf193f4c4a;Google Update Service (gupdate1c9a3cf193f4c4a);c:\program files\google\update\GoogleUpdate.exe [2009-3-13 133104]

S3 DJUSB;DMM Controller;c:\windows\system32\drivers\DM2.SYS [2001-6-1 10758]

S3 NMUSB;NMUSB;c:\windows\system32\drivers\Nmusb.sys [2010-12-20 25056]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2011-1-29 34064]

S3 Prodface;Prodface;c:\windows\system32\drivers\Prodface.sys [2008-6-27 3543]

S3 Prodikeys;Creative Prodikeys Driver;c:\windows\system32\drivers\Proddrvr.sys [2008-6-27 11437]

S3 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]

.

=============== Created Last 30 ================

.

2011-05-05 13:04:10 135168 ----a-w- c:\windows\system32\igfxres.dll

2011-05-05 12:52:59 4096 -c--a-w- c:\windows\system32\dllcache\rpcref.dll

2011-05-05 12:51:57 13463552 -c--a-w- c:\windows\system32\dllcache\hwxjpn.dll

2011-05-05 12:50:57 6144 -c--a-w- c:\windows\system32\dllcache\admxprox.dll

2011-05-05 12:48:24 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe

2011-05-05 12:48:24 16384 ----a-w- c:\program files\internet explorer\connection wizard\isignup.exe

2011-05-05 12:27:04 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll

2011-05-05 12:27:04 24661 ----a-w- c:\windows\system32\spxcoins.dll

2011-05-05 12:27:04 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll

2011-05-05 12:27:04 13312 ----a-w- c:\windows\system32\irclass.dll

2011-05-05 12:26:45 13753 ----a-r- c:\windows\SETF1.tmp

2011-05-05 12:26:42 1086058 ----a-r- c:\windows\SETE9.tmp

2011-05-05 12:26:40 1042903 ----a-r- c:\windows\SETE7.tmp

2011-05-05 03:06:27 123888 ----a-w- c:\windows\system32\pxcpyi64.exe

2011-05-05 03:06:26 126448 ----a-w- c:\windows\system32\pxinsi64.exe

2011-05-05 03:06:25 59888 ----a-w- c:\windows\system32\pxwma.dll

2011-05-05 02:51:27 111618 ----a-w- c:\docume~1\alluse~1\applic~1\5C5hP87i.exe

2011-05-04 11:52:16 11776 ----a-w- c:\program files\mozilla firefox\plugins\nprjplug.dll

2011-05-04 11:51:55 -------- d-----w- c:\program files\common files\xing shared

2011-05-04 11:51:43 150712 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll

2011-05-04 11:51:32 105472 ----a-w- c:\program files\mozilla firefox\plugins\nprpjplug.dll

2011-05-04 11:43:21 -------- d-----w- c:\docume~1\2hundred\locals~1\applic~1\Super Internet TV

2011-05-01 10:22:39 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2011-05-01 10:22:38 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll

2011-05-01 10:22:38 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll

2011-05-01 10:22:38 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll

2011-05-01 10:22:38 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll

2011-05-01 10:22:38 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll

2011-05-01 10:22:38 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll

2011-05-01 10:22:38 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll

2011-04-22 02:58:23 -------- d-----w- c:\docume~1\2hundred\locals~1\applic~1\Nikon

2011-04-22 02:56:38 57344 ----a-r- c:\docume~1\2hundred\applic~1\microsoft\installer\{87441a59-5e64-4096-a170-14efe67200c3}\ARPPRODUCTICON.exe

2011-04-22 02:55:23 -------- d-----w- c:\program files\common files\Nikon

2011-04-22 02:55:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\MIDI Drivers

2011-04-22 02:55:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\Light Machine

2011-04-22 02:55:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\Keyboard Layouts

2011-04-22 02:54:08 -------- d-----w- c:\program files\Nikon

.

==================== Find3M ====================

.

2011-05-05 13:03:50 135176 ----a-w- c:\windows\MMKeybd.exe

2011-04-22 02:54:45 106496 ----a-w- c:\windows\system32\ATL71.DLL

2011-03-04 19:44:14 133616 ----a-w- c:\windows\system32\pxafs.dll

2009-10-26 21:02:59 13251 ----a-w- c:\program files\common files\imajiz.bin

2009-10-26 21:02:58 15784 ----a-w- c:\program files\common files\gorub.vbs

2009-10-26 21:02:58 13822 ----a-w- c:\program files\common files\qilez.com

2004-10-01 19:00:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: WDC_WD800BB-55JKC0 rev.05.01C05 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-3

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A0956F0]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a09ba10]; MOV EAX, [0x8a09ba8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 nt!IofCallDriver[0x804E3D45] -> \Device\Harddisk0\DR0[0x8A30EAB8]

3 CLASSPNP[0xF764805B] -> nt!IofCallDriver[0x804E3D45] -> \Device\00000068[0x8A1D82A0]

5 ACPI[0xF750E620] -> nt!IofCallDriver[0x804E3D45] -> [0x8A23E940]

\Driver\atapi[0x8A312270] -> IRP_MJ_CREATE -> 0x8A0956F0

error: Read A device attached to the system is not functioning.

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

detected disk devices:

detected hooks:

\Driver\atapi DriverStartIo -> 0x8A09553B

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 3:21:38.59 ===============

Link to post
Share on other sites

Maybe like this ?

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6529

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

5/8/2011 3:18:39 AM

mbam-log-2011-05-08 (03-17-39).txt

Scan type: Quick scan

Objects scanned: 162152

Time elapsed: 10 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

I don't think the MBAM report is what you want so I went back after hard shutdown, but couldn't get MBAM to open. maybe if I could find where it was saved to I could get the proper log files.

pop-ups now say RUNDLL

Error in InetCpl.cpl

Missing Entry: ClearMyTracksByProcess

Link to post
Share on other sites

  • Staff

Hi,

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Next, please update MBAM, run a Quick Scan, and post its log.

Next, Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Hi,

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Next, please update MBAM, run a Quick Scan, and post its log.

Next, Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Thanks Screen,

The infection doesn't allow shut down unless thru ON button. will tdsskiller get that done ?

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.