TechSpot

Malware returns despite MBAM being used

Inactive
By Pixel Scuba
Oct 17, 2010
Topic Status:
Not open for further replies.
  1. I have a particularly nasty malware problem that continues to resurface even after it has been removed. I've swept the system several times with MBAM but, without fail, random links will still open new windows trying to visit a different site. I'm running XP Professional. Here are the logs

    -------------------------

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4793

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    10/16/2010 9:40:13 PM
    mbam-log-2010-10-16 (21-40-13).txt

    Scan type: Quick scan
    Objects scanned: 164137
    Time elapsed: 8 minute(s), 5 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 213.109.68.247 213.109.73.249 1.1.1.1 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{46f584f9-bac2-461f-99aa-90ffd7f44875}\DhcpNameServer (Trojan.DNSChanger) -> Data: 213.109.68.247 213.109.73.249 1.1.1.1 -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Documents and Settings\Random Wanker\Local Settings\Temp\0.23019200410602336.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

    -------------------------

    GMER 1.0.15.15319 - http://www.gmer.net
    Rootkit scan 2010-10-16 23:20:54
    Windows 5.1.2600 Service Pack 3
    Running: jon2ujeo.exe; Driver: C:\DOCUME~1\RANDOM~1\LOCALS~1\Temp\ugtdypog.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    ? jnuglrfe.sys The system cannot find the file specified. !
    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB73BA3A0, 0x592C35, 0xE8000020]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\Explorer.EXE[1584] SHELL32.dll!SHFileOperationW 7CA70A18 5 Bytes JMP 00EF1102 C:\Program Files\Unlocker\UnlockerHook.dll

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----

    -------------------------


    DDS (Ver_10-10-10.03) - NTFSx86
    Run by Random Wanker at 23:21:01.87 on Sat 10/16/2010
    Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1496 [GMT -5:00]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\AVG\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
    C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\CDBurnerXP\NMSAccessU.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\WZCBDL Service\WZCBDLS.exe
    C:\PROGRA~1\AVG\avgrsx.exe
    C:\PROGRA~1\AVG\avgnsx.exe
    C:\Program Files\AVG\avgcsrvx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\D-Link\Air Utility\AirCFG.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Spyware Tools\dds.scr

    ============== Pseudo HJT Report ===============

    uInternet Settings,ProxyOverride = *.local
    mWinlogon: SFCDisable=-99 (0xffffff9d)
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [EPSON NX110 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatifba.exe /fu "c:\windows\temp\E_S8B8.tmp" /EF "HKCU"
    mRun: [D-Link Air Utility] c:\program files\d-link\air utility\AirCFG.exe
    mRun: [UnlockerAssistant] c:\program files\unlocker\UnlockerAssistant.exe -H
    mRun: [AVG8_TRAY] c:\progra~1\avg\avgtray.exe
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [QuickTime Task] "c:\program files\qt lite\QTTask.exe" -atboottime
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
    mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
    dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
    StartupFolder: c:\docume~1\random~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
    uPolicies-explorer: NoSMHelp = 01000000
    mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
    dPolicies-explorer: NoResolveTrack = 1 (0x1)
    dPolicies-explorer: NoInstrumentation = 1 (0x1)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223982005234
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223984051000
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avgpp.dll
    Notify: avgrsstarter - avgrsstx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\random~1\applic~1\mozilla\firefox\profiles\qv0i4b8u.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.doomworld.com
    FF - component: c:\program files\avg\firefox\components\avgssff.dll
    FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
    FF - plugin: c:\progra~1\mozill~1\plugins\np_gp.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

    ============= SERVICES / DRIVERS ===============

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-18 335240]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-18 27784]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-18 108552]
    R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avgwdsvc.exe [2009-2-18 297752]
    R2 NIOC;NIOC Service;c:\windows\system32\NIOC.sys [2002-9-27 22912]
    R2 WZCBDLService;WZCBDL Service;c:\program files\wzcbdl service\WZCBDLS.exe [2002-3-19 36864]
    S3 NETR33X;D-Link Air Wireless Adapter(RTL) NT Driver;c:\windows\system32\drivers\NETR33X.sys [2008-10-14 158976]
    S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
    S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
    S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]

    =============== Created Last 30 ================

    2010-10-17 03:02:35 -------- d-----w- c:\program files\Spyware Tools
    2010-10-14 02:24:08 -------- d-----w- C:\SDFix
    2010-10-11 01:21:56 8704 ----a-w- c:\windows\system32\CNMVS75.DLL
    2010-10-11 01:21:56 59392 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\CNMPP75.DLL
    2010-10-11 01:21:56 20992 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\CNMPD75.DLL
    2010-10-11 01:21:56 139776 ----a-w- c:\windows\system32\CNMLM75.DLL
    2010-10-11 01:21:53 90112 ----a-w- c:\windows\system32\CNMCP75.exe
    2010-09-21 04:39:07 -------- d-----w- c:\docume~1\random~1\applic~1\Malwarebytes
    2010-09-21 04:38:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-21 04:38:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-09-21 04:38:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-21 04:38:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-09-21 02:26:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\PopCap Games

    ==================== Find3M ====================

    2010-08-17 23:19:13 214720 ----a-w- c:\windows\system32\PnkBstrB.xtr
    2010-08-17 23:19:13 214720 ----a-w- c:\windows\system32\PnkBstrB.exe
    2010-08-17 21:54:25 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
    2010-08-17 21:54:25 2373712 ----a-w- c:\windows\system32\pbsvc.exe
    2010-07-21 00:23:24 217196 ----a-w- c:\windows\system32\nvdrsdb1.bin
    2010-07-21 00:23:24 1 ----a-w- c:\windows\system32\nvdrssel.bin
    2010-07-21 00:19:30 217196 ----a-w- c:\windows\system32\nvdrsdb0.bin

    ============= FINISH: 23:21:34.32 ===============

    -------------------------


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-10-10.03)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 5/7/2005 10:24:05 AM
    System Uptime: 10/16/2010 9:41:15 PM (2 hours ago)

    Motherboard: Dell Computer Corp. | | 0FG022
    Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/800mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 28 GiB total, 11.367 GiB free.
    D: is FIXED (NTFS) - 56 GiB total, 1.247 GiB free.
    E: is FIXED (NTFS) - 65 GiB total, 8.769 GiB free.
    F: is CDROM ()
    G: is CDROM (CDFS)
    H: is Removable

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: D-Link Air DWL-520 Wireless PCI Adapter(rev.D)
    Device ID: PCI\VEN_10EC&DEV_8180&SUBSYS_33031186&REV_20\4&1C660DD6&0&50F0
    Manufacturer: D-Link
    Name: D-Link Air DWL-520 Wireless PCI Adapter(rev.D)
    PNP Device ID: PCI\VEN_10EC&DEV_8180&SUBSYS_33031186&REV_20\4&1C660DD6&0&50F0
    Service: NETR33X

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    µTorrent
    7-Zip 4.57
    Adobe Bridge 1.0
    Adobe Common File Installer
    Adobe Flash Player 10 Plugin
    Adobe Flash Player ActiveX
    Adobe Help Center 1.0
    Adobe Photoshop CS2
    Adobe Stock Photos 1.0
    Air Utility
    Alien Swarm
    Audacity 1.2.6
    AVG Free 8.5
    Bonjour
    Canon iP1600
    CCleaner
    CDBurnerXP
    CDisplay 1.8
    Combined Community Codec Pack 2009-09-09
    Crayon Physics Deluxe - release 53
    D-Box 2.0
    D-Link 11Mbps Wireless LAN for Windows
    Daikatana
    Doom Builder 2.1
    Easy Icon Maker
    EPSON NX110 Series Printer Uninstall
    EPSON Scan
    Foxit Reader
    Google Talk (remove only)
    GraphicsGale version 1.92
    Haali Media Splitter
    Half-Life 2: Lost Coast
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB945282)
    Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB946040)
    Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB946308)
    Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB947540)
    Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB947789)
    Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB945282)
    Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB946040)
    Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB946308)
    Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB946344)
    Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB946581)
    Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB947540)
    Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB947789)
    Hotfix for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB951708)
    Hotfix for Office (KB950278)
    ID3-TagIT 3
    ImgBurn
    Java(TM) 6 Update 14
    Left 4 Dead Authoring Tools
    LEGO® Indiana Jones™
    LightScribe System Software 1.14.32.1
    Macromedia Flash 5
    Malwarebytes' Anti-Malware
    Max Payne
    Max Payne 2
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Games for Windows - LIVE Redistributable
    Microsoft Office 2000 Premium
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Visual Web Developer 2007
    Microsoft Office Visual Web Developer MUI (English) 2007
    Microsoft Silverlight
    Microsoft Silverlight 3 SDK
    Microsoft Silverlight 3 Tools for Visual Web Developer Express 2008 SP1 - ENU
    Microsoft SQL Server 2008
    Microsoft SQL Server 2008 Browser
    Microsoft SQL Server 2008 Common Files
    Microsoft SQL Server 2008 Database Engine Services
    Microsoft SQL Server 2008 Database Engine Shared
    Microsoft SQL Server 2008 Management Objects
    Microsoft SQL Server 2008 Native Client
    Microsoft SQL Server 2008 RsFx Driver
    Microsoft SQL Server 2008 Setup Support Files (English)
    Microsoft SQL Server Compact 3.5 SP1 Design Tools English
    Microsoft SQL Server Compact 3.5 SP1 English
    Microsoft SQL Server Database Publishing Wizard 1.3
    Microsoft SQL Server VSS Writer
    Microsoft Visual C# 2008 Express Edition with SP1 - ENU
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
    Microsoft Visual Studio Web Authoring Component
    Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU
    Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
    Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Web - enu
    Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
    Microsoft XNA Framework Redistributable 3.0
    Microsoft XNA Framework Redistributable 3.1
    Microsoft XNA Game Studio 3.1
    Microsoft XNA Game Studio 3.1 (ARP entry)
    Microsoft XNA Game Studio 3.1 (Platformer)
    Microsoft XNA Game Studio 3.1 (Redists)
    Microsoft XNA Game Studio 3.1 (Shared Components)
    Microsoft XNA Game Studio 3.1 (VCSExpress)
    Microsoft XNA Game Studio 3.1 (XnaLiveProxy)
    Microsoft XNA Game Studio 3.1 Documentation
    Microsoft XNA Game Studio Platform Tools
    mIRC
    Mozilla Firefox (3.6.10)
    MSXML 6.0 Parser (KB933579)
    NIOC Service
    NVIDIA Drivers
    NVIDIA nView Desktop Manager
    OpenAL
    Paint Shop Pro 6.0 (ESD)
    PDFCreator
    Perfection636W2000
    Portal
    Prey
    PunkBuster Services
    QT Lite 2.7.0
    Quake II: Ground Zero
    Quake Live Mozilla Plugin
    Quake Mission Pack 2: Dissolution of Eternity
    QuickTime
    SDFormatter
    SlimDX Redistributable (March 2009)
    SmartFTP Client
    SoundMAX
    Spybot - Search & Destroy
    Sql Server Customer Experience Improvement Program
    SQL Server System CLR Types
    Star Trek Elite Force II
    StarCraft II
    Steam
    SureThing CD Labeler Deluxe 5.0.593.0
    Tales of Monkey Island - Launch of the Screaming Narwhal
    Tweak UI
    Update for Microsoft Visual Studio Web Authoring Component (KB945140)
    Update for Microsoft Visual Web Developer 2008 Express Edition with SP1 - ENU (KB967144)
    WebFldrs XP
    Winamp (remove only)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Media Format 11 runtime
    Windows Media Player 11
    WinRAR archiver
    WinSCP 4.2.1 beta
    WZCBDL Service
    XP Codec Pack
    Xvid 1.1.3 final uninstall

    ==== Event Viewer Messages From Past Week ========

    10/9/2010 4:54:17 PM, error: Dhcp [1002] - The IP address lease 192.168.1.116 for the Network Card with network address 000D88C94698 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    10/16/2010 9:42:11 PM, error: Print [19] - Sharing printer failed + 1722, Printer HP DeskJet 930C/932C/935C share name HP Deskjet 930C.
    10/13/2010 9:32:21 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    10/13/2010 9:32:16 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    10/13/2010 9:32:07 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    10/12/2010 10:47:39 PM, error: Dhcp [1002] - The IP address lease 192.168.1.102 for the Network Card with network address 000D88C94698 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
    10/11/2010 1:02:14 AM, error: Dhcp [1002] - The IP address lease 192.168.1.125 for the Network Card with network address 000D88C94698 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    10/10/2010 8:25:31 PM, error: Print [6161] - The document New Text Document.txt - Notepad owned by Random Wanker failed to print on printer Canon iP1600. Data type: NT EMF 1.008. Size of the spool file in bytes: 2576. Number of bytes printed: 0. Total number of pages in the document: 1. Number of pages printed: 0. Client machine: \\SCUBA. Win32 error code returned by the print processor: 53 (0x35).
    10/10/2010 8:01:44 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer ANDREW-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{7ECA38E1-34F5-4F30. The master browser is stopping or an election is being forced.
    10/10/2010 10:41:40 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer ACER-399B23EC8F that believes that it is the master browser for the domain on transport NetBT_Tcpip_{7ECA38E1-34F. The master browser is stopping or an election is being forced.
    10/10/2010 10:33:46 PM, error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{7ECA38E1-34F5-4F30-B05D-BDBD9D0B4B90} because another computer on the network has the same name. The server could not start.

    ==== End Of File ===========================
  2. crunchie

    crunchie Malware Helper Posts: 761

    Hi and welcome to TechSpot forums :).

    ====

    Update MBA-M and run another scan. Post the log when done.
  3. Pixel Scuba

    Pixel Scuba TS Rookie Topic Starter

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4855

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    10/17/2010 8:47:11 AM
    mbam-log-2010-10-17 (08-47-11).txt

    Scan type: Quick scan
    Objects scanned: 164888
    Time elapsed: 7 minute(s), 18 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\Temp\GM7g31aA.sys (Trojan.Agent) -> Quarantined and deleted successfully.
  4. crunchie

    crunchie Malware Helper Posts: 761

    Please download ComboFix by sUBs from HERE or HERE
    • You must download it to and run it from your Desktop
    • Physically disconnect from the internet.
    • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    • Double click combofix.exe & follow the prompts.
    • When finished, it will produce a log. Please save that log to post in your next reply.
    • Re-enable all the programs that were disabled during the running of ComboFix..

    Note:
    Do not mouse-click combofix's window while it is running. That may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Run Combofix ONCE only!!
  5. Pixel Scuba

    Pixel Scuba TS Rookie Topic Starter

    ComboFix 10-10-16.04 - Random Wanker 10/17/2010 10:08:21.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1505 [GMT -5:00]
    Running from: c:\documents and settings\Random Wanker\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((( Files Created from 2010-09-17 to 2010-10-17 )))))))))))))))))))))))))))))))
    .

    2010-10-17 04:26 . 2010-10-17 04:26 -------- d-----w- c:\program files\Common Files\Java
    2010-10-17 04:26 . 2010-09-15 09:50 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2010-10-17 04:26 . 2010-09-15 09:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-10-17 03:02 . 2010-10-17 03:17 -------- d-----w- c:\program files\Spyware Tools
    2010-10-14 02:24 . 2008-11-06 07:03 -------- d-----w- C:\SDFix
    2010-10-11 01:21 . 2006-07-11 02:00 8704 ----a-w- c:\windows\system32\CNMVS75.DLL
    2010-10-11 01:21 . 2006-07-11 02:00 59392 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPP75.DLL
    2010-10-11 01:21 . 2006-07-11 02:00 20992 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPD75.DLL
    2010-10-11 01:21 . 2006-07-11 02:00 139776 ----a-w- c:\windows\system32\CNMLM75.DLL
    2010-10-11 01:21 . 2005-03-08 15:17 90112 ----a-w- c:\windows\system32\CNMCP75.exe
    2010-10-11 01:21 . 2010-10-11 01:21 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
    2010-10-02 01:18 . 2010-10-02 01:18 -------- d-----w- c:\documents and settings\Random Wanker_2\Local Settings\Application Data\Google
    2010-09-21 04:39 . 2010-09-21 04:39 -------- d-----w- c:\documents and settings\Random Wanker\Application Data\Malwarebytes
    2010-09-21 04:38 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-09-21 04:38 . 2010-09-21 04:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-21 04:38 . 2010-09-21 04:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-09-21 04:38 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-09-21 02:26 . 2010-09-21 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ------- Sigcheck -------

    [-] 2008-12-30 . 5AE1C2695F6523AD98B948F2887D8C5E . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
    [-] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
    [-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
    [7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
    [7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\tcpip.sys

    [7] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\wscntfy.exe
    [-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\system32\wscntfy.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "D-Link Air Utility"="c:\program files\D-Link\Air Utility\AirCFG.exe" [2003-06-26 2695168]
    "UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
    "AVG8_TRAY"="c:\progra~1\AVG\avgtray.exe" [2010-07-08 2048352]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "QuickTime Task"="c:\program files\QT Lite\QTTask.exe" [2009-11-11 417792]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-06-07 110696]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-06-07 13902440]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-06-03 1753192]
    "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "_nltide_3"="advpack.dll" [2008-04-14 99840]

    c:\documents and settings\Random Wanker\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2007-4-14 65588]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoSMHelp"= 01000000

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-08-22 14:37 11952 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    2009-03-05 21:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
    2007-02-13 18:29 35328 ----a-w- c:\program files\Winamp\winampa.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\AVG\\avgupd.exe"=
    "c:\\Program Files\\AVG\\avgnsx.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "d:\\Games\\Steam\\steamapps\\common\\quake 2\\ground_zero.bat"=
    "d:\\Games\\Steam\\steamapps\\common\\quake 2\\quake2.exe"=
    "d:\\Games\\Steam\\steamapps\\common\\quake\\Winquake.exe"=
    "d:\\Games\\Steam\\steamapps\\common\\quake\\qwcl.exe"=
    "d:\\Games\\Steam\\steamapps\\common\\quake\\Glquake.exe"=
    "d:\\Games\\Steam\\steamapps\\common\\quake\\glqwcl.exe"=
    "d:\\Games\\Steam\\steamapps\\common\\alien swarm\\srcds.exe"=
    "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
    "d:\\Games\\Steam\\steamapps\\common\\alien swarm\\swarm.exe"=
    "d:\\Games\\Steam\\steamapps\\common\\left 4 dead\\bin\\SDKLauncher.exe"=
    "d:\\Games\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

    R?2 WZCBDLService;WZCBDL Service;c:\program files\WZCBDL Service\WZCBDLS.exe [3/19/2002 12:15 PM 36864]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/18/2009 10:30 AM 335240]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/18/2009 10:30 AM 108552]
    R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\avgwdsvc.exe [2/18/2009 10:30 AM 297752]
    R2 NIOC;NIOC Service;c:\windows\system32\NIOC.sys [9/27/2002 6:21 PM 22912]
    S3 NETR33X;D-Link Air Wireless Adapter(RTL) NT Driver;c:\windows\system32\drivers\NETR33X.sys [10/14/2008 5:31 AM 158976]
    S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 7:28 PM 47128]
    S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 3:49 AM 242712]
    S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 7:28 PM 369688]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - ASPI32

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2008-10-23 01:55 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Random Wanker\Application Data\Mozilla\Firefox\Profiles\qv0i4b8u.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.doomworld.com
    FF - component: c:\program files\AVG\Firefox\components\avgssff.dll
    FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    AddRemove-Perfection636W2000 - c:\program files\Epson America INC.\Perfection636W2000\DeIsL2.isu


    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1220945662-117609710-725345543-1003\Software\SecuROM\License information*]
    "datasecu"=hex:4b,aa,10,0a,4c,67,27,06,01,4e,42,50,d2,c7,69,f1,13,43,92,73,c1,
    70,1a,01,7e,c5,2a,25,22,b0,f6,93,21,48,ff,3c,a7,84,42,7b,14,1f,18,d7,a6,42,\
    "rkeysecu"=hex:11,b9,26,9b,3a,d9,3d,3b,ed,3f,c2,c2,5c,2e,85,0f
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3912)
    c:\program files\NVIDIA Corporation\nView\nview.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-10-17 10:15:21
    ComboFix-quarantined-files.txt 2010-10-17 15:15

    Pre-Run: 12,764,143,616 bytes free
    Post-Run: 12,782,571,520 bytes free

    - - End Of File - - 8641E58CB6075A73F5F8947E04DC874A
  6. Pixel Scuba

    Pixel Scuba TS Rookie Topic Starter

    And to note... I did disable AVG... but it continued to say it was running... and I even tried ending all the avg tasks in task manager.
  7. crunchie

    crunchie Malware Helper Posts: 761

    Cannot see anything wrong in that log.

    How is the pc now?
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.