Repeated attacks from same domainsP

graddy · September 12, 2011

Please help me. MBAM is blocking 3-4 attacks per minute from the same two IPs. This has been going on for 48+ hours. I have run MBAM, Prevx, Spybot S&D, Sophos Antiroot Kit, Superantispyware and HiJack This but only found a few pieces of adware. Everything on the computer seems to be running normally except for the repeated attacks. They're listed as outgoing so I'm thinking there has to be something on my machine that's triggering them. Let me know what logs you want posted and I'll put them up. Thanks so much.

graddy · September 12, 2011

update: i'm now finding .exe's running from the temp folder. only one at a time, can kill with reboot but another with a new name comes back. still not finding anything on scans.

graddy · September 12, 2011

update: i'm now finding .exe's running from the temp folder. only one at a time, can kill with reboot but another with a new name comes back. still not finding anything on scans.

update: this file name came up, registered as a trojan: csrss.exe

http://www.liutilities.com/products/wintaskspro/processlibrary/csrss/

now googling how to remove, any help appreciated.

graddy · September 12, 2011

well, now i that i check the path see it's in the system32 folder, so perhaps it is not.

AdvancedSetup · September 12, 2011

Please read the following post which will help you more.

graddy · September 12, 2011

Here you are.

MBAM log

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7694

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

9/12/2011 5:35:17 AM

mbam-log-2011-09-12 (05-35-17).txt

Scan type: Full scan (C:\|)

Objects scanned: 305808

Time elapsed: 4 hour(s), 59 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS log

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26

Run by Emily at 9:51:41 on 2011-09-12

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.1937 [GMT -5:00]

.

AV: Prevx 3.0 *Enabled/Updated* {D486329C-1488-4CEB-9CC8-D662B732D901}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTSvcCDA.EXE

C:\Program Files\Prevx\prevx.exe

C:\Program Files\NavNT\defwatch.exe

C:\Program Files\Expat Shield\bin\hsswd.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\NavNT\rtvscan.exe

C:\Program Files\NovaStor\NovaStor NovaBACKUP\nsService.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

C:\Program Files\Prevx\prevx.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\NavNT\vptray.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\cacaoweb\cacaoweb.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Documents and Settings\Emily\Desktop\Defogger.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll

BHO: Expat Shield Class: {3706ee7c-3cad-445d-8a43-03ebc3b75908} - c:\program files\expat shield\hssie\ExpatIE.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: SafeOnline BHO: {69d72956-317c-44bd-b369-8e44d4ef9801} - c:\windows\system32\PxSecure.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler

uRun: [cacaoweb] "c:\program files\cacaoweb\cacaoweb.exe" -noplayer

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [skyTel] SkyTel.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [vptray] c:\program files\navnt\vptray.exe

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [Logicool Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

IE: Semagic - c:\program files\semagic\link.htm

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: cleverreach.com\novastor

Trusted Zone: google-analytics.com

Trusted Zone: novastor.com

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263066431796

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: Interfaces\{95FD4FBC-FE00-4841-8934-F54CDC3596B1} : NameServer = 208.67.222.222,208.67.220.220

Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\emily\application data\mozilla\firefox\profiles\lfmweh3o.default\

FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&q=

FF - component: c:\documents and settings\emily\application data\mozilla\firefox\profiles\lfmweh3o.default\extensions\optout@dubfire.net\lib\winnt\ff3\AbineComponent.dll

FF - plugin: c:\documents and settings\emily\application data\mozilla\firefox\profiles\lfmweh3o.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll

FF - plugin: c:\program files\mozilla firefox\plugins\nphssb.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}

FF - Ext: cacaoweb: cacaoweb@cacaoweb.org - %profile%\extensions\cacaoweb@cacaoweb.org

FF - Ext: Cache Status: cache@status.org - %profile%\extensions\cache@status.org

FF - Ext: eSnipe.com SnipeIt!: esnipesnipeit@esnipe.com - %profile%\extensions\esnipesnipeit@esnipe.com

FF - Ext: Fasterfox Lite: FasterFox_Lite@BigRedBrent - %profile%\extensions\FasterFox_Lite@BigRedBrent

FF - Ext: Clear History: nadir.kadem@gmail.com - %profile%\extensions\nadir.kadem@gmail.com

FF - Ext: TACO with Abine: optout@dubfire.net - %profile%\extensions\optout@dubfire.net

FF - Ext: RightBar: rightbar@realmtech.net - %profile%\extensions\rightbar@realmtech.net

FF - Ext: Weather Watcher Live: weatherwatcherlive@singerscreations.com - %profile%\extensions\weatherwatcherlive@singerscreations.com

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Old Location Bar: {3205B348-523A-4fac-9BC4-9939CBF583B0} - %profile%\extensions\{3205B348-523A-4fac-9BC4-9939CBF583B0}

FF - Ext: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - %profile%\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}

FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}

FF - Ext: Abduction!: {b0e1b4a6-2c6f-4e99-94f2-8e625d7ae255} - %profile%\extensions\{b0e1b4a6-2c6f-4e99-94f2-8e625d7ae255}

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}

FF - Ext: Steep and Cheap Watcher: {fa038e8f-d1d1-11db-9705-005056c00008} - %profile%\extensions\{fa038e8f-d1d1-11db-9705-005056c00008}

FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard

FF - Ext: Multirow Bookmarks Toolbar: {FBF6D7FB-F305-4445-BB3D-FEF66579A033} - %profile%\extensions\{FBF6D7FB-F305-4445-BB3D-FEF66579A033}

FF - Ext: Easy YouTube Video Downloader: {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b} - %profile%\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}

FF - Ext: NoSquint: nosquint@urandom.ca - %profile%\extensions\nosquint@urandom.ca

FF - Ext: LeechBlock: {a95d8332-e4b4-6e7f-98ac-20b733364387} - %profile%\extensions\{a95d8332-e4b4-6e7f-98ac-20b733364387}

FF - Ext: ScribeFire: {F807FACD-E46A-4793-B345-D58CB177673C} - %profile%\extensions\{F807FACD-E46A-4793-B345-D58CB177673C}

FF - Ext: EPUBReader: {5384767E-00D9-40E9-B72F-9CC39D655D6F} - %profile%\extensions\{5384767E-00D9-40E9-B72F-9CC39D655D6F}

FF - Ext: Element Hiding Helper for Adblock Plus: elemhidehelper@adblockplus.org - %profile%\extensions\elemhidehelper@adblockplus.org

FF - Ext: AddonFox: {ad48108d-92a6-4eb9-87e4-978aca1dbae4} - %profile%\extensions\{ad48108d-92a6-4eb9-87e4-978aca1dbae4}

FF - Ext: Stylish: {46551EC9-40F0-4e47-8E18-8E5CF550CFB8} - %profile%\extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

.

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false

============= SERVICES / DRIVERS ===============

.

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2010-5-24 32008]

R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2010-1-12 4064]

R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2010-1-9 13696]

R2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2010-5-24 6416120]

R2 ExpatWd;Expat Shield Monitoring Service;c:\program files\expat shield\bin\hsswd.exe -product expat --> c:\program files\expat shield\bin\hsswd.exe -product Expat [?]

R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2011-8-13 3712]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-1-11 366640]

R2 NAVAPEL;NAVAPEL;c:\program files\navnt\Navapel.sys [2001-9-24 9232]

R2 Norton AntiVirus Server;Norton AntiVirus Client;c:\program files\navnt\rtvscan.exe [2001-9-24 454656]

R2 nsService;NovaStor NovaBACKUP Backup/Copy Engine;c:\program files\novastor\novastor novabackup\nsService.exe [2010-4-14 261256]

R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-5-24 76696]

R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [2009-6-17 42648]

R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [2010-8-24 12184]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-1-11 22712]

R3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\13.tmp --> c:\windows\system32\13.tmp [?]

R3 NAVAP;NAVAP;c:\program files\navnt\navap.sys [2001-9-24 176208]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101013.002\NAVENG.sys [2010-10-13 86064]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101013.002\NAVEX15.sys [2010-10-13 1371184]

R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-5-24 26096]

S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\emily\locals~1\temp\sas_selfextract\sasdifsv.sys --> c:\docume~1\emily\locals~1\temp\sas_selfextract\SASDIFSV.SYS [?]

S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\emily\locals~1\temp\sas_selfextract\saskutil.sys --> c:\docume~1\emily\locals~1\temp\sas_selfextract\SASKUTIL.SYS [?]

S2 PEVSystemStart;PEVSystemStart;c:\combofix\pev.3XE [2011-6-26 256000]

S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-5-21 13192]

S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-5-21 8456]

S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2011-8-11 27064]

S3 ZWDAGMLowerFilter;ZWDA General Mouse Filter Driver;c:\windows\system32\drivers\zwda_gm_lowerfilter.sys [2011-8-13 21248]

.

=============== Created Last 30 ================

.

2011-09-12 04:56:18 6144 ------w- c:\windows\system32\2.tmp

2011-09-12 04:56:12 6144 ------w- c:\windows\system32\1.tmp

2011-09-12 03:23:25 6144 ------w- c:\windows\system32\12.tmp

2011-09-12 02:18:06 -------- d-----w- c:\program files\kohmtgiw

2011-09-11 16:34:17 208896 ----a-w- c:\windows\MBR.exe

2011-09-11 16:34:16 518144 ----a-w- c:\windows\SWREG.exe

2011-09-11 16:34:16 256000 ----a-w- c:\windows\PEV.exe

2011-09-11 16:34:15 98816 ----a-w- c:\windows\sed.exe

2011-09-11 16:33:29 -------- d-s---w- C:\ComboFix

2011-09-03 10:17:37 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll

2011-08-27 20:31:39 -------- d-----w- c:\program files\iPod

2011-08-27 20:31:22 -------- d-----w- c:\program files\iTunes

2011-08-20 08:27:52 -------- d-----w- C:\PrevxCSI

2011-08-13 18:31:36 301656 ----a-w- c:\windows\system32\BtCoreIf.dll

.

==================== Find3M ====================

.

2011-09-12 02:37:20 71880 ----a-w- c:\windows\system32\PxSecure.dll

2011-09-12 02:37:18 32008 ----a-w- c:\windows\system32\drivers\pxscan.sys

2011-09-12 02:37:16 26096 ----a-w- c:\windows\system32\drivers\pxkbf.sys

2011-09-03 10:17:37 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-08-24 15:57:25 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys

2011-08-11 23:45:42 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-07-12 16:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe

2011-07-12 16:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll

2011-07-12 16:20:54 50536 ----a-w- c:\windows\system32\jdns_sd.dll

2011-07-12 16:20:54 178536 ----a-w- c:\windows\system32\dnssdX.dll

2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys

2011-07-07 00:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-07-07 00:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-07-05 23:37:00 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2011-07-05 23:37:00 69632 ----a-w- c:\windows\system32\QuickTime.qts

2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll

2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\SET1E6.tmp

2011-06-23 18:36:30 66560 ----a-w- c:\windows\system32\SET1EB.tmp

2011-06-23 18:36:30 611840 ----a-w- c:\windows\system32\SET1EA.tmp

2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\SET1EF.tmp

2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-06-23 18:36:30 25600 ----a-w- c:\windows\system32\SET1F0.tmp

2011-06-23 18:36:30 206848 ----a-w- c:\windows\system32\SET1E9.tmp

2011-06-23 18:36:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-06-23 18:36:30 1212416 ----a-w- c:\windows\system32\SET1E7.tmp

2011-06-23 18:36:30 105984 ----a-w- c:\windows\system32\SET1E8.tmp

2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec

2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll

2010-11-05 07:09:24 7221248 ----a-w- c:\program files\praat.exe

2010-09-19 05:05:44 455480 ----a-w- c:\program files\UnInstall.exe

2010-05-26 23:16:12 9194224 ----a-w- c:\program files\IconWorkshop.exe

2010-05-25 15:19:36 1124864 ----a-w- c:\program files\ResGer.dll

2010-05-25 15:18:44 1127936 ----a-w- c:\program files\ResFra.dll

2009-09-02 15:02:44 110080 ----a-w- c:\program files\IconWorkshopAddin.dll

2008-08-08 20:25:00 81920 ----a-w- c:\program files\IconWorkshopAddin2005.dll

2008-03-25 03:50:26 554008 ----a-w- c:\program files\common files\dao360.dll

.

============= FINISH: 9:52:47.53 ===============

GMER log

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit scan 2011-09-12 14:02:40

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\00000076 Hitachi_HDS721616PLA380 rev.P22OABEA

Running: k28ki1pi.exe; Driver: C:\DOCUME~1\Emily\LOCALS~1\Temp\kxtdapod.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwAllocateVirtualMemory [0xB4E26F60]

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwAssignProcessToJobObject [0xB4E26AF0]

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwCreateThread [0xB4E26B40]

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwDebugActiveProcess [0xB4E26F10]

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwDeleteKey [0xB4E26810]

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwDeleteValueKey [0xB4E268D0]

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwDuplicateObject [0xB4E27180]

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenProcess [0xB4E27490]

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenSection [0xB4E26CD0]

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenThread [0xB4E27320]

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwProtectVirtualMemory [0xB4E26BE0]

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSetContextThread [0xB4E26AA0]

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSetValueKey [0xB4E269B0]

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSystemDebugControl [0xB4E26E80]

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwTerminateProcess [0xB4E27630]

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwTerminateThread [0xB4E26C80]

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwWriteVirtualMemory [0xB4E27000]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB905F360, 0x32DEFD, 0xE8000020]

? C:\WINDOWS\system32\13.tmp The system cannot find the file specified. !

? C:\DOCUME~1\Emily\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe[636] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 044EA939 C:\Program Files\Spybot - Search & Destroy\Plugins\Chai.dll

.text C:\WINDOWS\system32\SearchIndexer.exe[2116] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)

AttachedDevice \Driver\Tcpip \Device\Tcp pxrts.sys (Prevx Realtime Security/Prevx)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----

MBAM sample attack log

22:28:55 Emily IP-BLOCK 204.188.235.81 (Type: outgoing)

22:29:06 Emily IP-BLOCK 204.188.235.81 (Type: incoming)

22:29:17 Emily IP-BLOCK 204.188.235.81 (Type: outgoing)

22:29:18 Emily IP-BLOCK 94.102.49.218 (Type: outgoing)

22:29:19 Emily IP-BLOCK 204.188.235.81 (Type: outgoing)

22:29:20 Emily IP-BLOCK 204.188.235.81 (Type: outgoing)

22:29:22 Emily IP-BLOCK 94.102.49.218 (Type: outgoing)

22:29:26 Emily IP-BLOCK 204.188.235.81 (Type: outgoing)

22:29:28 Emily IP-BLOCK 94.102.49.218 (Type: outgoing)

22:29:28 Emily IP-BLOCK 204.188.235.81 (Type: outgoing)

22:29:48 Emily IP-BLOCK 204.188.235.81 (Type: outgoing)

22:29:51 Emily IP-BLOCK 204.188.235.81 (Type: outgoing)

22:29:56 Emily IP-BLOCK 94.102.49.218 (Type: outgoing)

22:29:57 Emily IP-BLOCK 204.188.235.81 (Type: outgoing)

22:29:59 Emily IP-BLOCK 94.102.49.218 (Type: outgoing)

22:30:05 Emily IP-BLOCK 94.102.49.218 (Type: outgoing)

22:30:15 Emily IP-BLOCK 204.188.235.81 (Type: outgoing)

22:30:18 Emily IP-BLOCK 94.102.49.218 (Type: outgoing)

22:30:18 Emily IP-BLOCK 204.188.235.81 (Type: outgoing)

22:30:21 Emily IP-BLOCK 94.102.49.218 (Type: outgoing)

22:30:21 Emily IP-BLOCK 204.188.235.81 (Type: outgoing)

22:30:24 Emily IP-BLOCK 204.188.235.81 (Type: outgoing)

22:30:27 Emily IP-BLOCK 94.102.49.218 (Type: outgoing)

22:30:27 Emily IP-BLOCK 204.188.235.81 (Type: outgoing)

22:30:46 Emily IP-BLOCK 94.102.49.218 (Type: outgoing)

22:30:46 Emily IP-BLOCK 204.188.235.81 (Type: outgoing)

22:30:49 Emily IP-BLOCK 94.102.49.218 (Type: outgoing)

22:30:49 Emily IP-BLOCK 204.188.235.81 (Type: outgoing)

22:30:55 Emily IP-BLOCK 94.102.49.218 (Type: outgoing)

22:30:55 Emily IP-BLOCK 204.188.235.81 (Type: outgoing)

22:31:16 Emily IP-BLOCK 204.188.235.81 (Type: outgoing)

ark.zip

attach.zip

graddy · September 14, 2011

Bumping this as per the 48 hrs rule on the help post. Thanks.

screen317 · September 16, 2011

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When the tool is finished, it will produce a report for you.
Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

graddy · September 17, 2011

Combofix ran and is trying to reboot. It has been stuck on the reboot screen for over an hour now and I'm starting to freak out a little bit. I don't want to screw up by touching anything but I'm pretty sure it's not going to reboot on its own. What can I do now?

graddy · September 18, 2011

Has been 12 hours now with no change. Anyone? Can I manually reboot?

screen317 · September 18, 2011

Hi,

Please continue being patient as there are hundreds ahead of you in the queue.

Try manually rebooting and ensure that Windows can run successfully.

graddy · September 18, 2011

Thank you very much. Here is an update. The computer seemed to boot fine. The internet connection was still disabled. No combofix logs appeared--maybe they are somewhere on my machine but I didn't want to poke around. I did not run combofix again b/c I had no instruction to do so.

MBAM would not start, so I did a fresh install, checked no when it asked to update and then scanned. I also did a DDS scan. These are not posted but the DDS log is attached as Attach1. I then rebooted successfully, re-enabled virus protection, re-enabled internet connection, updated MBAM, disabled internet, and scanned with MBAM and DDS again. These are posted below, and the DDS log is attached as Attach2.

During the minute or so internet connection was active MBAM did not log any incoming or outgoing attacks.

Here are the logs (except for combofix log, which as I said did not come up on reboot):

MBAM log

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7622

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

9/18/2011 1:26:00 PM

mbam-log-2011-09-18 (13-26-00).txt

Scan type: Quick scan

Objects scanned: 179525

Time elapsed: 5 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

--------------------------------------------------------------------------

DDS log

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26

Run by Emily at 14:06:56 on 2011-09-18

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2110 [GMT -5:00]

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTSvcCDA.EXE

C:\Program Files\Prevx\prevx.exe

C:\Program Files\NavNT\defwatch.exe

C:\Program Files\Expat Shield\bin\hsswd.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\NavNT\rtvscan.exe

C:\Program Files\NovaStor\NovaStor NovaBACKUP\nsService.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Prevx\prevx.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\NavNT\vptray.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\WINDOWS\system32\taskmgr.exe

C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe