TechSpot

[A] Buffer overrun detected in Explorer.exe

Inactive
By smartzak
May 20, 2012
  1. Hi

    For the past few days I've been getting this error first time I open explorer.exe
    If I ignore the pop up everything seems fine.
    If I click 'ok', explorer.exe closes, taskbar and all its windows, and then re opens a fresh copy of it in memory.

    Below are the required logs:
    Malwarebytes Anti-Malware
    Malwarebytes Anti-Malware (Trial) 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.05.20.05

    Windows XP Service Pack 2 x86 FAT32
    Internet Explorer 8.0.6001.18702
    Admin :: HOME [administrator]

    Protection: Enabled

    5/20/2012 10:48:21 PM
    mbam-log-2012-05-20 (22-48-21).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 197041
    Time elapsed: 2 hour(s), 44 minute(s), 38 second(s)

    Memory Processes Detected: 1
    C:\WINDOWS\system32\csrcs.exe (Trojan.Agent) -> 980 -> Delete on reboot.

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 16
    HKCR\CLSID\{C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} (PUP.NavExcel) -> Quarantined and deleted successfully.
    HKCR\TypeLib\{FA4DE133-D3C3-4ED4-92D1-CD4DDE839AB3} (PUP.NavExcel) -> Quarantined and deleted successfully.
    HKCR\Interface\{20F36AF3-3486-4BB6-8BCB-F1F8ABE74D07} (PUP.NavExcel) -> Quarantined and deleted successfully.
    HKCR\NavExcel.NavHelper.1 (PUP.NavExcel) -> Quarantined and deleted successfully.
    HKCR\NavExcel.NavHelper (PUP.NavExcel) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} (PUP.NavExcel) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} (PUP.NavExcel) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} (PUP.NavExcel) -> Quarantined and deleted successfully.
    HKCR\AppID\{710BCB5B-8C6C-483E-A4F5-FAF083B13184} (PUP.NavExcel) -> Quarantined and deleted successfully.
    HKCR\CLSID\{5A8A1D95-22E9-3963-2E06-90BDD094E562} (Trojan.Rimecud) -> Quarantined and deleted successfully.
    HKCR\CLSID\{00000100-0000-0010-8000-00AA006D2EA4} (Trojan.Rimecud) -> Quarantined and deleted successfully.
    HKCR\DAO.DBEngine.36 (Trojan.Rimecud) -> Quarantined and deleted successfully.
    HKCR\DAO.Index.36 (Trojan.Rimecud) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NavHelper (PUP.NavExcel) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\DRM\amty (Worm.Autorun) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\NavExcel\NavHelper (PUP.NavExcel) -> Quarantined and deleted successfully.

    Registry Values Detected: 4
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|csrcs (Trojan.Agent) -> Data: C:\WINDOWS\system32\csrcs.exe -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|csrcs (Trojan.Agent) -> Data: C:\WINDOWS\system32\csrcs.exe -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Taskman (Worm.Autorun) -> Data: C:\Documents and Settings\Admin\Application Data\vfbu.exe -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NavHelper|HelpLink (PUP.NavExcel) -> Data: http://www.navexcel.com/faqs.html -> Quarantined and deleted successfully.

    Registry Data Items Detected: 2
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell (Trojan.Agent) -> Bad: (csrcs.exe) Good: () -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell (Hijack.Shell) -> Bad: (Explorer.exe csrcs.exe) Good: (Explorer.exe) -> Quarantined and repaired successfully.

    Folders Detected: 1
    C:\Program Files\NavExcel\NavHelper\v2.0.4 (PUP.NavExcel) -> Delete on reboot.

    Files Detected: 12
    C:\Program Files\NavExcel\NavHelper\v2.0.4\NHelper.dll (PUP.NavExcel) -> Delete on reboot.
    C:\Program Files\Common Files\Microsoft Shared\DAO\dao360.dll (Trojan.Rimecud) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\1.exe (Trojan.JClicker) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Admin\Local Settings\Temp\295.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Admin\Local Settings\Temp\8357.exe (Trojan.Agent.PS) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Admin\Local Settings\Temp\324577.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
    C:\Program Files\NavExcel\NavHelper\v2.0.4\NHUninstaller.exe (PUP.NavExcel) -> Quarantined and deleted successfully.
    C:\Program Files\NavExcel\NavHelper\v2.0.4\NHUpdater.exe (PUP.NavExcel) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\csrcs.exe (Trojan.Agent) -> Delete on reboot.
    C:\Documents and Settings\Admin\Application Data\6.tmp (Trojan.Generic) -> Quarantined and deleted successfully.
    C:\Program Files\NavExcel\NavHelper\v2.0.4\v2.0.4.cab (PUP.NavExcel) -> Quarantined and deleted successfully.
    C:\Program Files\NavExcel\NavHelper\v2.0.4\NHelper.htm (PUP.NavExcel) -> Quarantined and deleted successfully.

    (end)


    GMER
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-05-21 01:46:18
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 ST340015A rev.3.01
    Running: 62osdnzg.exe; Driver: C:\DOCUME~1\Admin\LOCALS~1\Temp\ugtoipow.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----


    DDS
    .
    DDS (Ver_2011-08-26.01) - FAT32x86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_32
    Run by Admin at 1:47:59 on 2012-05-21
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.479.59 [GMT 5.5:30]
    .
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\system32\svchost -k rpcss
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = about:blank
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{BEFC9777-B3A9-4037-A50E-88B204AE6E2D} : NameServer = 4.4.4.4,8.8.8.8
    TCP: Interfaces\{BEFC9777-B3A9-4037-A50E-88B204AE6E2D} : DhcpNameServer = 192.168.1.1
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\admin\application data\mozilla\firefox\profiles\jk8zt5n8.default\
    FF - prefs.js: browser.startup.homepage - www.techspot.com/community/topics/updated-5-step-viruses-spyware-malware-preliminary-removal-instructions.58138/
    FF - prefs.js: network.proxy.type - 0
    FF - component: c:\documents and settings\admin\application data\mozilla\firefox\profiles\jk8zt5n8.default\extensions\ffxtlbr@babylon.com\components\FFHst.dll
    FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
    FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
    FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
    FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
    FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
    FF - plugin: c:\windows\system32\npdeployJava1.dll
    FF - plugin: c:\windows\system32\npptools.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-5-20 654408]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-5-20 22344]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-5-20 40776]
    S4 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-3 129976]
    .
    =============== Created Last 30 ================
    .
    2012-05-20 17:13:57 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2012-05-20 17:13:57 -------- d-----w- c:\documents and settings\admin\application data\Malwarebytes
    2012-05-20 17:13:42 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2012-05-20 17:13:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-05-20 17:13:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-05-19 14:33:32 -------- d-----w- c:\program files\NavExcel
    2012-05-15 17:48:44 850152 ----a-w- c:\windows\system32\SpoonUninstall.exe
    2012-05-15 17:48:36 -------- d-----w- c:\program files\Illustrate
    2012-05-15 17:39:28 -------- d-----w- c:\program files\NCH Software
    2012-05-15 17:39:25 -------- d-----w- c:\documents and settings\admin\application data\NCH Software
    2012-05-12 00:06:40 -------- d-sh--w- C:\FOUND.008
    2012-05-08 14:04:49 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-05-04 00:39:20 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2012-05-04 00:39:20 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
    2012-05-03 15:34:44 -------- d-----w- c:\documents and settings\admin\application data\BabylonToolbar
    2012-05-03 14:32:36 -------- d-----w- c:\program files\Mozilla Maintenance Service
    2012-05-03 14:32:34 157352 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe
    2012-05-03 14:32:34 129976 ----a-w- c:\program files\mozilla firefox\maintenanceservice.exe
    2012-04-30 14:15:48 -------- d-sh--w- C:\FOUND.007
    .
    ==================== Find3M ====================
    .
    2012-05-08 14:04:50 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-05-04 00:38:22 472864 ----a-w- c:\windows\system32\deployJava1.dll
    .
    ============= FINISH: 1:50:10.48 ===============


    Attach:

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 10/12/2011 9:27:51 PM
    System Uptime: 5/21/2012 1:39:12 AM (0 hours ago)
    .
    Motherboard: KOB | | PVM266aM
    Processor: Intel(R) Celeron(R) CPU 1.70GHz | FC-478 | 1699/100mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (FAT32) - 9 GiB total, 4.834 GiB free.
    D: is FIXED (FAT32) - 28 GiB total, 10.976 GiB free.
    E: is FIXED (FAT32) - 4 GiB total, 0.434 GiB free.
    F: is FIXED (FAT32) - 19 GiB total, 0.092 GiB free.
    G: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    AC3Filter 1.63b
    Adobe AIR
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader X (10.1.1)
    Apple Application Support
    Apple Software Update
    dBpoweramp m4a Codec
    DivX Setup
    EasyDownloads - fastest downloads in two clicks!
    ffdshow (remove only)
    FileZilla Client 3.5.2
    Hotfix for Windows XP (KB915865)
    Hotfix for Windows XP (KB926239)
    Java Auto Updater
    Java(TM) 6 Update 32
    Malwarebytes Anti-Malware version 1.61.0.1400
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Mozilla Firefox 12.0 (x86 en-US)
    Mozilla Maintenance Service
    Prism Video File Converter
    QuickTime
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    RealPlayer
    RealUpgrade 1.1
    TeamViewer 3
    VC80CRTRedist - 8.0.50727.6195
    VLC media player 2.0.0
    WebFldrs XP
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    WinRAR archiver
    Yahoo! Messenger
    .
    ==== Event Viewer Messages From Past Week ========
    .
    5/21/2012 1:37:22 AM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\microsoft shared\dao\dao360.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 3.60.8618.0.
    .
    ==== End Of File ===========================


     
  2. Broni

    Broni Malware Annihilator Posts: 47,691   +268

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===============================================================================

    You're not running any AV program.
    Install ONE of these:
    - Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
    - free Microsoft Security Essentials: http://windows.microsoft.com/en-GB/windows/products/security-essentials
    - free Comodo Antivirus: http://www.comodo.com/home/internet-security/antivirus.php
    Update, run full scan, report on any findings.

    Next...

    Download Bootkit Remover to your desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.

    ========================================================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
     
  3. smartzak

    smartzak TS Rookie Topic Starter

    Can I use Norton AV, that I get free from my ISP? Or I should select one of the 3 you listed? An AV Program very much slows down my computer, so I avoid it.
    I'll follow the steps you provided and get back to you soon.

    P.s: I have a similar problem on another of my computer. It's that 'csrcs.exe' problem. Do I start a separate topic for that?
     
  4. Broni

    Broni Malware Annihilator Posts: 47,691   +268

    Yes, one computer per topic.

    An AV program is a must. I'm not a big fan of Norton, but the decision is yours.
     
  5. smartzak

    smartzak TS Rookie Topic Starter

  6. Broni

    Broni Malware Annihilator Posts: 47,691   +268

    Skip AV program installation for now.
    Proceed with other steps.
     
  7. smartzak

    smartzak TS Rookie Topic Starter

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Professional Service Pack 2 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

    Size Device Name MBR Status
    --------------------------------------------
    37 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
    ============================================================================

    aswMBR log:

    aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
    Run date: 2012-05-26 23:26:43
    -----------------------------
    23:26:43.406 OS Version: Windows 5.1.2600 Service Pack 2
    23:26:43.406 Number of processors: 1 586 0x103
    23:26:43.421 ComputerName: HOME UserName:
    23:26:44.718 Initialize success
    23:26:52.578 AVAST engine download error: 0
    23:27:32.843 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    23:27:32.843 Disk 0 Vendor: ST340015A 3.01 Size: 38166MB BusType: 3
    23:27:34.875 Disk 0 MBR read successfully
    23:27:34.875 Disk 0 MBR scan
    23:27:34.875 Disk 0 Windows XP default MBR code
    23:27:34.890 Disk 0 scanning sectors +78156225
    23:27:34.937 Disk 0 scanning C:\WINDOWS\system32\drivers
    23:28:00.671 Service scanning
    23:28:02.093 Service MpKsla4358e08 C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7CCBD56C-3F51-46B9-B838-5FC2665F6304}\MpKsla4358e08.sys **LOCKED** 32
    23:28:03.984 Modules scanning
    23:28:16.312 Disk 0 trace - called modules:
    23:28:16.328 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys viaide.sys PCIIDEX.SYS
    23:28:16.343 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x853939c0]
    23:28:16.359 3 CLASSPNP.SYS[f784905b] -> nt!IofCallDriver -> \Device\00000051[0x85394f18]
    23:28:16.375 5 ACPI.sys[f77bf620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8539bb58]
    23:28:16.390 Scan finished successfully
    23:28:23.484 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Admin\My Documents\MBR.dat"
    23:28:23.515 The log file has been saved successfully to "C:\Documents and Settings\Admin\My Documents\aswMBR.txt"
     
  8. Broni

    Broni Malware Annihilator Posts: 47,691   +268

    Looks clean.

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  9. smartzak

    smartzak TS Rookie Topic Starter

    ComboFix 12-05-31.02 - Admin 05/31/2012 19:37:35.1.1 - FAT32x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.479.299 [GMT 5.5:30]
    Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\NavExcel
    c:\windows\system32\24999735.exe
    c:\windows\WindowsUpdate.log
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-04-28 to 2012-05-31 )))))))))))))))))))))))))))))))
    .
    .
    2012-05-27 13:05 . 2012-05-27 13:05 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Identities
    2012-05-26 14:27 . 2012-01-31 12:44 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-05-26 13:50 . 2009-08-06 13:53 215920 ----a-w- c:\windows\system32\muweb.dll
    2012-05-26 13:50 . 2009-08-06 13:53 274288 ----a-w- c:\windows\system32\mucltui.dll
    2012-05-20 17:13 . 2012-05-20 17:17 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2012-05-20 17:13 . 2012-05-20 17:13 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
    2012-05-20 17:13 . 2012-05-20 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2012-05-15 17:48 . 2012-05-15 17:44 850152 ----a-w- c:\windows\system32\SpoonUninstall.exe
    2012-05-15 17:48 . 2012-05-15 17:48 -------- d-----w- c:\program files\Illustrate
    2012-05-15 17:39 . 2012-05-15 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
    2012-05-15 17:39 . 2012-05-15 17:39 -------- d-----w- c:\program files\NCH Software
    2012-05-15 17:39 . 2012-05-15 17:39 -------- d-----w- c:\documents and settings\Admin\Application Data\NCH Software
    2012-05-12 00:06 . 2012-05-12 00:06 -------- d-----w- C:\FOUND.008
    2012-05-08 14:04 . 2012-05-08 14:04 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-05-04 00:42 . 2012-05-04 00:42 -------- d-----w- c:\program files\Common Files\Java
    2012-05-04 00:39 . 2012-05-04 00:38 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2012-05-04 00:39 . 2012-05-04 00:38 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
    2012-05-03 15:34 . 2012-05-03 15:34 -------- d-----w- c:\documents and settings\Admin\Application Data\BabylonToolbar
    2012-05-03 14:32 . 2012-05-03 14:32 -------- d-----w- c:\program files\Mozilla Maintenance Service
    2012-05-03 14:32 . 2012-05-03 14:32 157352 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
    2012-05-03 14:32 . 2012-05-03 14:32 129976 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-05-08 14:04 . 2011-10-12 16:56 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-05-04 00:38 . 2011-10-13 15:11 472864 ----a-w- c:\windows\system32\deployJava1.dll
    2012-05-03 14:32 . 2012-02-27 16:31 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2011-06-06 07:25 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
    2011-09-27 01:52 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2004-08-03 11:26 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
    2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyDownloads]
    2011-10-12 13:50 854040 ----a-w- c:\program files\Easy downloads\EasyDownloads.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
    2011-11-23 17:35 6497592 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2011-10-24 08:58 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2012-01-18 08:32 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2011-10-12 17:21 273528 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WMPNetworkSvc"=3 (0x3)
    "JavaQuickStarterService"=2 (0x2)
    "MozillaMaintenance"=3 (0x3)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Easy downloads\\EasyDownloads.exe"=
    "c:\\Program Files\\Easy downloads\\EasyDL.exe"=
    "c:\\Program Files\\TeamViewer3\\TeamViewer.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    .
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [5/20/2012 10:43 PM 40776]
    S4 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/3/2012 8:02 PM 129976]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-05-08 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1957994488-1645522239-725345543-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 08:10]
    .
    2012-05-31 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1957994488-1645522239-725345543-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 08:10]
    .
    2012-05-16 c:\windows\Tasks\prismShakeIcon.job
    - c:\program files\NCH Software\Prism\prism.exe [2012-05-15 17:39]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{BEFC9777-B3A9-4037-A50E-88B204AE6E2D}: NameServer = 4.4.4.4,8.8.8.8
    FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\jk8zt5n8.default\
    FF - prefs.js: browser.startup.homepage - www.techspot.com/community/topics/updated-5-step-viruses-spyware-malware-preliminary-removal-instructions.58138/
    FF - prefs.js: network.proxy.type - 0
    .
    - - - - ORPHANS REMOVED - - - -
    .
    MSConfigStartUp-Babylon Client - c:\program files\Babylon\Babylon-Pro\Babylon.exe
    MSConfigStartUp-Ftoxoc - c:\documents and settings\Admin\Application Data\Ftoxoc.exe
    MSConfigStartUp-Itoxof - c:\documents and settings\Admin\Application Data\Itoxof.exe
    MSConfigStartUp-snp2std - c:\windows\vsnp2std.exe
    MSConfigStartUp-tsnp2std - c:\windows\tsnp2std.exe
    MSConfigStartUp-WebSite - c:\program files\JustClicking\JustClicking.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-05-31 19:47
    Windows 5.1.2600 Service Pack 2 FAT NTAPI
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(1372)
    c:\windows\system32\msi.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2012-05-31 19:50:18 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-05-31 14:20
    .
    Pre-Run: 4,930,273,280 bytes free
    Post-Run: 4,926,521,344 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    C:\ = "Microsoft DOS"
    .
    - - End Of File - - CDEF5B63A025AF5DBB645DCA4A7378CE
     
  10. Broni

    Broni Malware Annihilator Posts: 47,691   +268

    Looks good.

    You're not running any AV program.

    Install ONE of these:
    - Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
    - free Microsoft Security Essentials: http://windows.microsoft.com/en-GB/windows/products/security-essentials
    - free Comodo Antivirus: http://www.comodo.com/home/internet-security/antivirus.php
    Update, run full scan, report on any findings.

    Next....

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\tasks\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /I " " /c
    dir /b "%systemroot%\*.exe" | find /I " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.