Jump to content

Virus KILLS malwarebytes and GMER


Recommended Posts

Hi all,

Whatever nasty I have causes Malwarebytes to disappear after about 10 seconds, and then can't be accessed again. I followed the instructions for a new post and here are the results:

I ran Defogger, and when the Finished message hit, the window to disable the CD Emulation drivers was still there and active. I closed it. The program did NOT ask me to reboot.

I ran DDS. Here is the first log

.

DDS (Ver_2011-06-23.01) - NTFSx86

Internet Explorer: 7.0.5730.13

Run by Bill Purse at 14:54:08 on 2011-07-24

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.269 [GMT -7:00]

.

.

============== Running Processes ===============

.

"\\.\globalroot\Device\svchost.exe\svchost.exe"

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\CTSvcCDA.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Smith Micro\StuffIt 2010\ArcNameService.exe

C:\WINDOWS\wanmpsvc.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\program files\real\realplayer\update\realsched.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\NETGEAR GA311 Adapter\GA311.exe

C:\WINDOWS\system32\MSOffice\update.exe

C:\WINDOWS\system32\MSOffice\update.exe

C:\Program Files\Internet Explorer\iexplore.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.cnn.com/

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: H - No File

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [AdobeAcrobat6] c:\windows\system32\msoffice\update.exe

mRun: [EM_EXEC] c:\progra~1\logitech\mousew~1\system\EM_EXEC.EXE

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [AdobeAcrobat5] c:\windows\system32\msoffice\update.exe

uExplorerRun: [Policies] c:\windows\system32\msoffice\update.exe

mExplorerRun: [Policies] c:\windows\system32\msoffice\update.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ga311s~1.lnk - c:\program files\netgear ga311 adapter\GA311.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: Open Client to Monitor &1 - c:\windows\web\AOpenClient.htm

IE: Open Client to Monitor &2 - c:\windows\web\AOpenClient.htm

IE: {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - c:\program files\empirepokermaster\empirepoker\RunEPoker.exe

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} c:\program files\partygaming\partypoker\runapp.exe - c:\program files\partygaming\partypoker\runapp.exe\inprocserver32 does not exist!

LSP: mswsock.dll

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/Dcode/ActiveX/MSDcode.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {4E330863-6A11-11D0-BFD8-006097237877} - hxxp://www.installshield.com/install/iftwclix.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163885535428

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab

DPF: {CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{27351B83-5BD8-486F-9280-B8CB47732175} : NameServer = 208.67.222.222,208.67.220.220

TCP: Interfaces\{27351B83-5BD8-486F-9280-B8CB47732175} : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{A0BB83B6-A081-476B-BFC6-76F3CAE45733} : DhcpNameServer = 192.168.0.1

Notify: AtiExtEvent - Ati2evxx.dll

Notify: LMIinit - LMIinit.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

mASetup: {QDH52V31-W5WW-3427-203N-84X616XF203F} - c:\windows\system32\msoffice\update.exe Restart

.

============= SERVICES / DRIVERS ===============

.

R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [2002-2-19 8040]

R2 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\LANPkt.sys [2003-9-17 8440]

R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-9-30 374152]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-6-3 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-6-3 47640]

R3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2003-8-15 11237]

R3 gsif324;GSIF Driver for MOTU 324;c:\windows\system32\drivers\GSIF324.sys [2003-11-5 27160]

R3 w324drvr;w324drvr;c:\windows\system32\drivers\w324drvr.sys [2003-11-5 141236]

R3 Wave324;Wave Driver for PCI-324;c:\windows\system32\drivers\Wave324.sys [2003-11-5 44760]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-27 136176]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-11-27 136176]

S4 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [2002-2-17 294784]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

S4 StarTechAgent;Pioneer StarTech Server;"c:\program files\pioneer interactive inc\pioneer startech\datatier.exe" --> c:\program files\pioneer interactive inc\pioneer startech\DataTier.exe [?]

S4 StarTechUpdate;Pioneer StarTech Update Server;"c:\program files\pioneer interactive inc\pioneer startech\startechupdate.exe" --> c:\program files\pioneer interactive inc\pioneer startech\StarTechUpdate.exe [?]

.

=============== Created Last 30 ================

.

2011-07-23 17:56:37 60153 ----a-w- c:\documents and settings\bill purse\application data\SQLite3.dll

2011-07-23 17:53:04 -------- d-----w- c:\documents and settings\bill purse\local settings\application data\Smith Micro

2011-07-23 17:52:39 -------- d-----w- c:\documents and settings\all users\application data\Smith Micro

2011-07-23 17:52:26 -------- d-----w- c:\program files\Smith Micro

2011-07-23 17:37:12 -------- d-----w- c:\documents and settings\bill purse\local settings\application data\PackageAware

2011-07-23 17:32:37 -------- d-----w- c:\program files\File Type Assistant

2011-07-23 17:32:08 -------- d-----w- c:\program files\Yahoo!

2011-07-21 23:10:50 105472 -c----w- c:\windows\system32\dllcache\mup.sys

2011-07-19 00:43:14 -------- d-----w- C:\lemmings

2011-07-06 17:30:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

==================== Find3M ====================

.

2011-07-15 02:14:56 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

2011-07-15 02:14:56 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll

2011-07-15 02:14:55 87424 ----a-w- c:\windows\system32\LMIinit.dll

2011-07-15 02:14:55 29568 ----a-w- c:\windows\system32\LMIport.dll

2011-07-07 02:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-07 02:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys

2011-05-04 11:52:22 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-05-04 09:25:49 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll

2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-26 11:07:50 33280 ----a-w- c:\windows\system32\csrsrv.dll

2011-04-26 11:07:50 293376 ----a-w- c:\windows\system32\winsrv.dll

2009-09-18 18:46:39 107 ---ha-w- c:\program files\BALANCE.REG

2006-03-24 14:19:48 421888 --sh--r- c:\windows\system32\msoffice\update.exe

.

============= FINISH: 14:56:03.74 ===============

When I ran GMER, it did NOT warn me about rootkit activity. I unchecked the appropriate boxes, then hit scan, and after about 4 seconds, it disappeared. I guess whatever bug this is also disables that program. So the attached file is only the attach.txt in a zipped form.

Please help. Thanks in advance.

Bill

attach.zip

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.