Jump to content

Recommended Posts

I have recently removed at least part of an infection on my computer that was an obvious fake Windows XP detection problem. There seems to still be parts of that infection that have not been detected by Malwarebytes or any other anti virus/malware programs. Things that are still occurring: two instances of iexplore.exe are started about every 10 minutes and I have to kill them via task manager, clicking on certain links from search engines redirects me either back to the same page I clicked the link or to a 503 gateway problem page.

I was able to successfully use defrogger and DDS but not GMER and now not MBAM. The first time I used GMER it ran for a while but eventually my computer locked up. I tried to run it again and the next time it locked up even sooner. Now I can not even double click it without my computer locking up. After that I tried a MBAM quick scan and about 2 minutes in my computer locked up. I have never had this problem before now.

Here is my most recent MBAM log which detected the initial problem along with DDS.txt:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6637

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

5/22/2011 6:56:11 PM

mbam-log-2011-05-22 (18-56-11).txt

Scan type: Full scan (C:\|)

Objects scanned: 269108

Time elapsed: 28 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Malware Protection (Trojan.FakeAlert) -> Value: Malware Protection -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\Shane\local settings\Temp\63.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

c:\documents and settings\all users\application data\defender.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

.

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24

Run by Shane at 1:55:37 on 2011-05-23

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1523 [GMT -7:00]

.

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Creative\Shared Files\CTAudSvc.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Shane\Desktop\dds.scr

C:\WINDOWS\system32\WSCRIPT.exe

.

============== Pseudo HJT Report ===============

.

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear

uRun: [Aim6]

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [updReg] c:\windows\UpdReg.EXE

mRun: [CTHelper] CTHELPER.EXE

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6796.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1292218552828

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

TCP: {342D0906-724C-45BA-BD35-4009E803D6CF} = 209.18.47.61

TCP: {F5CFF891-98EA-4A37-AFBD-5308B0C89BAE} = 209.18.47.61

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\shane\application data\mozilla\firefox\profiles\7f893eh9.default\

FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/

FF - plugin: c:\documents and settings\shane\local settings\application data\unity\webplayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.50917.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll

FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

.

============= SERVICES / DRIVERS ===============

.

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-5-23 11608]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-5-23 136360]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-5-23 269480]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-5-23 61960]

R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-5-18 2218600]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-9-11 24652]

R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2009-6-23 99352]

R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2009-6-23 555032]

R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2009-6-23 566296]

S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2009-6-23 99352]

S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-8-27 79360]

S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2009-6-23 555032]

S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2009-6-23 100888]

S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2009-6-23 100888]

S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2009-6-23 566296]

S3 krait03;Razer krait USB Filter Driver;c:\windows\system32\drivers\krait.sys [2009-8-27 13324]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 rak;rak;c:\windows\system32\rakion.sys [2010-6-18 60928]

S3 SUNPLUS;SightCAM PC-100p;c:\windows\system32\drivers\SPIXNEW.SYS [2002-3-7 95528]

.

=============== Created Last 30 ================

.

2011-05-23 07:52:46 -------- d-----w- c:\documents and settings\shane\application data\Avira

2011-05-23 07:52:15 -------- d-----w- c:\windows\system32\NtmsData

2011-05-23 07:48:17 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-05-23 07:48:17 -------- d-----w- c:\program files\Avira

2011-05-23 07:48:17 -------- d-----w- c:\documents and settings\all users\application data\Avira

2011-05-23 07:25:17 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2011-05-23 07:25:16 -------- d-----w- c:\program files\Hitman Pro 3.5

2011-05-23 07:24:24 -------- d-----w- c:\documents and settings\all users\application data\Hitman Pro

2011-05-22 00:39:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-22 00:39:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-05-22 00:23:44 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-05-22 00:23:44 -------- d-----w- c:\windows\system32\wbem\Repository

2011-05-21 23:57:00 -------- d-----w- c:\windows\pss

2011-05-21 17:37:09 -------- d-----w- c:\program files\AVAST Software

2011-05-21 17:37:09 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software

2011-05-20 18:40:02 -------- d-----w- c:\program files\The Witcher 2

2011-05-19 06:34:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-19 06:30:01 944232 ----a-w- c:\windows\system32\nvdispco3220140.dll

2011-05-19 06:30:01 855656 ----a-w- c:\windows\system32\nvgenco322060.dll

2011-05-07 18:48:09 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll

2011-05-07 18:48:09 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll

2011-05-07 18:48:09 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll

2011-05-07 18:48:09 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll

2011-05-07 18:48:09 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll

2011-05-07 18:48:08 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll

2011-05-07 18:48:08 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll

2011-05-07 18:48:08 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2011-05-04 04:19:27 0 ----a-w- C:\LOG62.tmp

2011-05-02 05:40:07 -------- d-----w- c:\documents and settings\shane\application data\ghc

2011-05-02 05:31:49 -------- d-----w- c:\program files\Haskell Platform

2011-05-01 08:05:14 -------- d-----w- c:\program files\Valve

2011-04-25 17:29:19 -------- d-----w- C:\Python27

.

==================== Find3M ====================

.

2011-05-19 06:30:25 259604 ----a-w- c:\windows\system32\nvdrsdb1.bin

2011-05-19 06:30:25 1 ----a-w- c:\windows\system32\nvdrssel.bin

2011-05-19 06:30:23 259604 ----a-w- c:\windows\system32\nvdrsdb0.bin

2011-04-18 05:40:11 0 ----a-w- C:\LOG1E4.tmp

2011-04-08 05:15:38 81920 ----a-w- c:\windows\system32\nvwddi.dll

2011-04-08 05:15:38 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll

2011-04-08 05:15:34 277608 ----a-w- c:\windows\system32\nvmccs.dll

2011-04-08 05:15:34 13891176 ----a-w- c:\windows\system32\nvcpl.dll

2011-04-08 05:15:34 111208 ----a-w- c:\windows\system32\nvmctray.dll

2011-04-08 05:15:32 155752 ----a-w- c:\windows\system32\nvsvc32.exe

2011-04-08 05:15:32 145000 ----a-w- c:\windows\system32\nvcolor.exe

2011-04-08 05:14:00 61440 ----a-w- c:\windows\system32\OpenCL.dll

2011-04-08 05:14:00 5210112 ----a-w- c:\windows\system32\nvcuda.dll

2011-04-08 05:14:00 4111232 ----a-w- c:\windows\system32\nv4_disp.dll

2011-04-08 05:14:00 2770536 ----a-w- c:\windows\system32\nvcuvid.dll

2011-04-08 05:14:00 2116894 ----a-w- c:\windows\system32\nvdata.bin

2011-04-08 05:14:00 2074216 ----a-w- c:\windows\system32\nvcuvenc.dll

2011-04-08 05:14:00 2027008 ----a-w- c:\windows\system32\nvapi.dll

2011-04-08 05:14:00 14856192 ----a-w- c:\windows\system32\nvoglnt.dll

2011-04-08 05:14:00 13000704 ----a-w- c:\windows\system32\nvcompiler.dll

2011-04-08 05:14:00 12501600 ----a-w- c:\windows\system32\drivers\nv4_mini.sys

2011-03-02 10:43:46 175616 ----a-w- c:\windows\system32\unrar.dll

2011-02-23 04:12:23 0 ----a-w- C:\LOG3C0.tmp

.

============= FINISH: 1:56:07.59 ===============

Update: I was able to successfully update MBAM and run a quick scan

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6656

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/23/2011 11:54:16 AM

mbam-log-2011-05-23 (11-54-16).txt

Scan type: Quick scan

Objects scanned: 157382

Time elapsed: 2 minute(s), 9 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

attach.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.