Hi
For the past few days I've been getting this error first time I open explorer.exe
If I click 'ok', explorer.exe closes, taskbar and all its windows, and then re opens a fresh copy of it in memory.
Below are the required logs:
Malwarebytes Anti-Malware
Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org
Database version: v2012.05.20.05
Windows XP Service Pack 2 x86 FAT32
Internet Explorer 8.0.6001.18702
Admin :: HOME [administrator]
Protection: Enabled
5/20/2012 10:48:21 PM
mbam-log-2012-05-20 (22-48-21).txt
Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 197041
Time elapsed: 2 hour(s), 44 minute(s), 38 second(s)
Memory Processes Detected: 1
C:\WINDOWS\system32\csrcs.exe (Trojan.Agent) -> 980 -> Delete on reboot.
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 16
HKCR\CLSID\{C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} (PUP.NavExcel) -> Quarantined and deleted successfully.
HKCR\TypeLib\{FA4DE133-D3C3-4ED4-92D1-CD4DDE839AB3} (PUP.NavExcel) -> Quarantined and deleted successfully.
HKCR\Interface\{20F36AF3-3486-4BB6-8BCB-F1F8ABE74D07} (PUP.NavExcel) -> Quarantined and deleted successfully.
HKCR\NavExcel.NavHelper.1 (PUP.NavExcel) -> Quarantined and deleted successfully.
HKCR\NavExcel.NavHelper (PUP.NavExcel) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} (PUP.NavExcel) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} (PUP.NavExcel) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} (PUP.NavExcel) -> Quarantined and deleted successfully.
HKCR\AppID\{710BCB5B-8C6C-483E-A4F5-FAF083B13184} (PUP.NavExcel) -> Quarantined and deleted successfully.
HKCR\CLSID\{5A8A1D95-22E9-3963-2E06-90BDD094E562} (Trojan.Rimecud) -> Quarantined and deleted successfully.
HKCR\CLSID\{00000100-0000-0010-8000-00AA006D2EA4} (Trojan.Rimecud) -> Quarantined and deleted successfully.
HKCR\DAO.DBEngine.36 (Trojan.Rimecud) -> Quarantined and deleted successfully.
HKCR\DAO.Index.36 (Trojan.Rimecud) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NavHelper (PUP.NavExcel) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\DRM\amty (Worm.Autorun) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\NavExcel\NavHelper (PUP.NavExcel) -> Quarantined and deleted successfully.
Registry Values Detected: 4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|csrcs (Trojan.Agent) -> Data: C:\WINDOWS\system32\csrcs.exe -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|csrcs (Trojan.Agent) -> Data: C:\WINDOWS\system32\csrcs.exe -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Taskman (Worm.Autorun) -> Data: C:\Documents and Settings\Admin\Application Data\vfbu.exe -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NavHelper|HelpLink (PUP.NavExcel) -> Data: http://www.navexcel.com/faqs.html -> Quarantined and deleted successfully.
Registry Data Items Detected: 2
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell (Trojan.Agent) -> Bad: (csrcs.exe) Good: () -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell (Hijack.Shell) -> Bad: (Explorer.exe csrcs.exe) Good: (Explorer.exe) -> Quarantined and repaired successfully.
Folders Detected: 1
C:\Program Files\NavExcel\NavHelper\v2.0.4 (PUP.NavExcel) -> Delete on reboot.
Files Detected: 12
C:\Program Files\NavExcel\NavHelper\v2.0.4\NHelper.dll (PUP.NavExcel) -> Delete on reboot.
C:\Program Files\Common Files\Microsoft Shared\DAO\dao360.dll (Trojan.Rimecud) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\1.exe (Trojan.JClicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Local Settings\Temp\295.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Local Settings\Temp\8357.exe (Trojan.Agent.PS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Local Settings\Temp\324577.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
C:\Program Files\NavExcel\NavHelper\v2.0.4\NHUninstaller.exe (PUP.NavExcel) -> Quarantined and deleted successfully.
C:\Program Files\NavExcel\NavHelper\v2.0.4\NHUpdater.exe (PUP.NavExcel) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\csrcs.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Admin\Application Data\6.tmp (Trojan.Generic) -> Quarantined and deleted successfully.
C:\Program Files\NavExcel\NavHelper\v2.0.4\v2.0.4.cab (PUP.NavExcel) -> Quarantined and deleted successfully.
C:\Program Files\NavExcel\NavHelper\v2.0.4\NHelper.htm (PUP.NavExcel) -> Quarantined and deleted successfully.
(end)
GMER
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-05-21 01:46:18
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 ST340015A rev.3.01
Running: 62osdnzg.exe; Driver: C:\DOCUME~1\Admin\LOCALS~1\Temp\ugtoipow.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
DDS
.
DDS (Ver_2011-08-26.01) - FAT32x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_32
Run by Admin at 1:47:59 on 2012-05-21
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.479.59 [GMT 5.5:30]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{BEFC9777-B3A9-4037-A50E-88B204AE6E2D} : NameServer = 4.4.4.4,8.8.8.8
TCP: Interfaces\{BEFC9777-B3A9-4037-A50E-88B204AE6E2D} : DhcpNameServer = 192.168.1.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\admin\application data\mozilla\firefox\profiles\jk8zt5n8.default\
FF - prefs.js: browser.startup.homepage - www.techspot.com/community/topics/updated-5-step-viruses-spyware-malware-preliminary-removal-instructions.58138/
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\admin\application data\mozilla\firefox\profiles\jk8zt5n8.default\extensions\ffxtlbr@babylon.com\components\FFHst.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-5-20 654408]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-5-20 22344]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-5-20 40776]
S4 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-3 129976]
.
=============== Created Last 30 ================
.
2012-05-20 17:13:57 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-05-20 17:13:57 -------- d-----w- c:\documents and settings\admin\application data\Malwarebytes
2012-05-20 17:13:42 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-05-20 17:13:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-20 17:13:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-19 14:33:32 -------- d-----w- c:\program files\NavExcel
2012-05-15 17:48:44 850152 ----a-w- c:\windows\system32\SpoonUninstall.exe
2012-05-15 17:48:36 -------- d-----w- c:\program files\Illustrate
2012-05-15 17:39:28 -------- d-----w- c:\program files\NCH Software
2012-05-15 17:39:25 -------- d-----w- c:\documents and settings\admin\application data\NCH Software
2012-05-12 00:06:40 -------- d-sh--w- C:\FOUND.008
2012-05-08 14:04:49 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-04 00:39:20 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-04 00:39:20 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-05-03 15:34:44 -------- d-----w- c:\documents and settings\admin\application data\BabylonToolbar
2012-05-03 14:32:36 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-05-03 14:32:34 157352 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe
2012-05-03 14:32:34 129976 ----a-w- c:\program files\mozilla firefox\maintenanceservice.exe
2012-04-30 14:15:48 -------- d-sh--w- C:\FOUND.007
.
==================== Find3M ====================
.
2012-05-08 14:04:50 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-04 00:38:22 472864 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 1:50:10.48 ===============
Attach:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/12/2011 9:27:51 PM
System Uptime: 5/21/2012 1:39:12 AM (0 hours ago)
.
Motherboard: KOB | | PVM266aM
Processor: Intel(R) Celeron(R) CPU 1.70GHz | FC-478 | 1699/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (FAT32) - 9 GiB total, 4.834 GiB free.
D: is FIXED (FAT32) - 28 GiB total, 10.976 GiB free.
E: is FIXED (FAT32) - 4 GiB total, 0.434 GiB free.
F: is FIXED (FAT32) - 19 GiB total, 0.092 GiB free.
G: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
AC3Filter 1.63b
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.1)
Apple Application Support
Apple Software Update
dBpoweramp m4a Codec
DivX Setup
EasyDownloads - fastest downloads in two clicks!
ffdshow (remove only)
FileZilla Client 3.5.2
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Java Auto Updater
Java(TM) 6 Update 32
Malwarebytes Anti-Malware version 1.61.0.1400
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox 12.0 (x86 en-US)
Mozilla Maintenance Service
Prism Video File Converter
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
TeamViewer 3
VC80CRTRedist - 8.0.50727.6195
VLC media player 2.0.0
WebFldrs XP
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver
Yahoo! Messenger
.
==== Event Viewer Messages From Past Week ========
.
5/21/2012 1:37:22 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\microsoft shared\dao\dao360.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 3.60.8618.0.
.
==== End Of File ===========================
For the past few days I've been getting this error first time I open explorer.exe
If I ignore the pop up everything seems fine."Microsoft Visual C++ Runtime Library
Buffer Overrun detected!
Program: C:\WINDOWS\Explorer.EXE
A buffer overrun has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated."
If I click 'ok', explorer.exe closes, taskbar and all its windows, and then re opens a fresh copy of it in memory.
Below are the required logs:
Malwarebytes Anti-Malware
Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org
Database version: v2012.05.20.05
Windows XP Service Pack 2 x86 FAT32
Internet Explorer 8.0.6001.18702
Admin :: HOME [administrator]
Protection: Enabled
5/20/2012 10:48:21 PM
mbam-log-2012-05-20 (22-48-21).txt
Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 197041
Time elapsed: 2 hour(s), 44 minute(s), 38 second(s)
Memory Processes Detected: 1
C:\WINDOWS\system32\csrcs.exe (Trojan.Agent) -> 980 -> Delete on reboot.
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 16
HKCR\CLSID\{C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} (PUP.NavExcel) -> Quarantined and deleted successfully.
HKCR\TypeLib\{FA4DE133-D3C3-4ED4-92D1-CD4DDE839AB3} (PUP.NavExcel) -> Quarantined and deleted successfully.
HKCR\Interface\{20F36AF3-3486-4BB6-8BCB-F1F8ABE74D07} (PUP.NavExcel) -> Quarantined and deleted successfully.
HKCR\NavExcel.NavHelper.1 (PUP.NavExcel) -> Quarantined and deleted successfully.
HKCR\NavExcel.NavHelper (PUP.NavExcel) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} (PUP.NavExcel) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} (PUP.NavExcel) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} (PUP.NavExcel) -> Quarantined and deleted successfully.
HKCR\AppID\{710BCB5B-8C6C-483E-A4F5-FAF083B13184} (PUP.NavExcel) -> Quarantined and deleted successfully.
HKCR\CLSID\{5A8A1D95-22E9-3963-2E06-90BDD094E562} (Trojan.Rimecud) -> Quarantined and deleted successfully.
HKCR\CLSID\{00000100-0000-0010-8000-00AA006D2EA4} (Trojan.Rimecud) -> Quarantined and deleted successfully.
HKCR\DAO.DBEngine.36 (Trojan.Rimecud) -> Quarantined and deleted successfully.
HKCR\DAO.Index.36 (Trojan.Rimecud) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NavHelper (PUP.NavExcel) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\DRM\amty (Worm.Autorun) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\NavExcel\NavHelper (PUP.NavExcel) -> Quarantined and deleted successfully.
Registry Values Detected: 4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|csrcs (Trojan.Agent) -> Data: C:\WINDOWS\system32\csrcs.exe -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|csrcs (Trojan.Agent) -> Data: C:\WINDOWS\system32\csrcs.exe -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Taskman (Worm.Autorun) -> Data: C:\Documents and Settings\Admin\Application Data\vfbu.exe -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NavHelper|HelpLink (PUP.NavExcel) -> Data: http://www.navexcel.com/faqs.html -> Quarantined and deleted successfully.
Registry Data Items Detected: 2
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell (Trojan.Agent) -> Bad: (csrcs.exe) Good: () -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell (Hijack.Shell) -> Bad: (Explorer.exe csrcs.exe) Good: (Explorer.exe) -> Quarantined and repaired successfully.
Folders Detected: 1
C:\Program Files\NavExcel\NavHelper\v2.0.4 (PUP.NavExcel) -> Delete on reboot.
Files Detected: 12
C:\Program Files\NavExcel\NavHelper\v2.0.4\NHelper.dll (PUP.NavExcel) -> Delete on reboot.
C:\Program Files\Common Files\Microsoft Shared\DAO\dao360.dll (Trojan.Rimecud) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\1.exe (Trojan.JClicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Local Settings\Temp\295.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Local Settings\Temp\8357.exe (Trojan.Agent.PS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Local Settings\Temp\324577.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
C:\Program Files\NavExcel\NavHelper\v2.0.4\NHUninstaller.exe (PUP.NavExcel) -> Quarantined and deleted successfully.
C:\Program Files\NavExcel\NavHelper\v2.0.4\NHUpdater.exe (PUP.NavExcel) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\csrcs.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Admin\Application Data\6.tmp (Trojan.Generic) -> Quarantined and deleted successfully.
C:\Program Files\NavExcel\NavHelper\v2.0.4\v2.0.4.cab (PUP.NavExcel) -> Quarantined and deleted successfully.
C:\Program Files\NavExcel\NavHelper\v2.0.4\NHelper.htm (PUP.NavExcel) -> Quarantined and deleted successfully.
(end)
GMER
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-05-21 01:46:18
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 ST340015A rev.3.01
Running: 62osdnzg.exe; Driver: C:\DOCUME~1\Admin\LOCALS~1\Temp\ugtoipow.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
DDS
.
DDS (Ver_2011-08-26.01) - FAT32x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_32
Run by Admin at 1:47:59 on 2012-05-21
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.479.59 [GMT 5.5:30]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{BEFC9777-B3A9-4037-A50E-88B204AE6E2D} : NameServer = 4.4.4.4,8.8.8.8
TCP: Interfaces\{BEFC9777-B3A9-4037-A50E-88B204AE6E2D} : DhcpNameServer = 192.168.1.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\admin\application data\mozilla\firefox\profiles\jk8zt5n8.default\
FF - prefs.js: browser.startup.homepage - www.techspot.com/community/topics/updated-5-step-viruses-spyware-malware-preliminary-removal-instructions.58138/
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\admin\application data\mozilla\firefox\profiles\jk8zt5n8.default\extensions\ffxtlbr@babylon.com\components\FFHst.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-5-20 654408]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-5-20 22344]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-5-20 40776]
S4 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-3 129976]
.
=============== Created Last 30 ================
.
2012-05-20 17:13:57 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-05-20 17:13:57 -------- d-----w- c:\documents and settings\admin\application data\Malwarebytes
2012-05-20 17:13:42 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-05-20 17:13:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-20 17:13:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-19 14:33:32 -------- d-----w- c:\program files\NavExcel
2012-05-15 17:48:44 850152 ----a-w- c:\windows\system32\SpoonUninstall.exe
2012-05-15 17:48:36 -------- d-----w- c:\program files\Illustrate
2012-05-15 17:39:28 -------- d-----w- c:\program files\NCH Software
2012-05-15 17:39:25 -------- d-----w- c:\documents and settings\admin\application data\NCH Software
2012-05-12 00:06:40 -------- d-sh--w- C:\FOUND.008
2012-05-08 14:04:49 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-04 00:39:20 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-05-04 00:39:20 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-05-03 15:34:44 -------- d-----w- c:\documents and settings\admin\application data\BabylonToolbar
2012-05-03 14:32:36 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-05-03 14:32:34 157352 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe
2012-05-03 14:32:34 129976 ----a-w- c:\program files\mozilla firefox\maintenanceservice.exe
2012-04-30 14:15:48 -------- d-sh--w- C:\FOUND.007
.
==================== Find3M ====================
.
2012-05-08 14:04:50 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-04 00:38:22 472864 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 1:50:10.48 ===============
Attach:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/12/2011 9:27:51 PM
System Uptime: 5/21/2012 1:39:12 AM (0 hours ago)
.
Motherboard: KOB | | PVM266aM
Processor: Intel(R) Celeron(R) CPU 1.70GHz | FC-478 | 1699/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (FAT32) - 9 GiB total, 4.834 GiB free.
D: is FIXED (FAT32) - 28 GiB total, 10.976 GiB free.
E: is FIXED (FAT32) - 4 GiB total, 0.434 GiB free.
F: is FIXED (FAT32) - 19 GiB total, 0.092 GiB free.
G: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
AC3Filter 1.63b
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.1)
Apple Application Support
Apple Software Update
dBpoweramp m4a Codec
DivX Setup
EasyDownloads - fastest downloads in two clicks!
ffdshow (remove only)
FileZilla Client 3.5.2
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Java Auto Updater
Java(TM) 6 Update 32
Malwarebytes Anti-Malware version 1.61.0.1400
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox 12.0 (x86 en-US)
Mozilla Maintenance Service
Prism Video File Converter
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
TeamViewer 3
VC80CRTRedist - 8.0.50727.6195
VLC media player 2.0.0
WebFldrs XP
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver
Yahoo! Messenger
.
==== Event Viewer Messages From Past Week ========
.
5/21/2012 1:37:22 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\microsoft shared\dao\dao360.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 3.60.8618.0.
.
==== End Of File ===========================