PDA

View Full Version : Need Help of course!



whodat31
2009-11-05, 02:04
I need help!!! My mothers computer has a nasty something and I cant fix it. I have tried to run HJT but when I do it runs but then before it finishes, it stops and wants to send a microsoft report. I am not sure what else to do or where to begin. Any help would be greatly appreciated.

Thanks so much for your time.

Blade81
2009-11-07, 17:57
Hi,

Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to your topic.



Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.

whodat31
2009-11-08, 05:06
Thanks so much for your time and all you do to help people!!

I think this is what you asked for.

DDS (Ver_09-10-26.01) - NTFSx86
Run by Bonnie at 21:35:35.90 on Sat 11/07/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.192 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
G:\Documents\Downloads\dds.scr
C:\WINDOWS\system32\dwwin.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Billminder.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Quicken Startup.lnk.disabled
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab

============= SERVICES / DRIVERS ===============

S2 AntipPolice_;AntiPol;c:\windows\svchast.exe --> c:\windows\svchast.exe [?]
S3 XPAD910;XPADFilter Service 910;c:\windows\system32\drivers\xpad910.sys [2008-3-17 29405]

=============== Created Last 30 ================

2009-11-08 02:03:05 0 d-s---w- C:\ComboFix
2009-11-07 03:22:46 0 d-----w- c:\docume~1\bonnie\applic~1\Malwarebytes
2009-11-07 03:22:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-07 03:22:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-07 03:22:40 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-07 03:22:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-07 01:41:03 224 ----a-w- c:\windows\QUICKEN.INI
2009-11-06 01:59:47 0 d-sha-r- C:\cmdcons
2009-11-05 01:33:54 77312 ----a-w- c:\windows\MBR.exe
2009-11-05 01:33:54 420352 ----a-w- c:\windows\PEV.exe
2009-11-05 01:33:54 251904 ----a-w- c:\windows\sed.exe
2009-11-05 01:33:54 161792 ----a-w- c:\windows\SWREG.exe

==================== Find3M ====================

2009-11-07 22:53:45 880 ----a-w- c:\docume~1\bonnie\applic~1\wklnhst.dat
2009-11-07 01:23:33 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-11-07 01:23:16 107832 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-10-02 01:40:35 168448 ----a-w- c:\windows\system32\ctfmon.exe
2009-10-02 01:39:49 442368 ----a-w- c:\windows\stsystra.exe
2009-10-02 01:06:01 1186816 ----a-w- c:\windows\explorer.exe
2009-10-01 20:42:07 436736 ----a-w- c:\windows\winhlp32.exe
2009-10-01 20:42:05 178688 ----a-w- c:\windows\twunk_32.exe
2009-10-01 20:42:00 168448 ----a-w- c:\windows\TASKMAN.EXE
2009-10-01 20:40:59 346112 ----a-w- c:\windows\system32\QCON3216.EXE
2009-10-01 20:39:59 339968 ----a-w- c:\windows\system32\dwwin.exe
2009-10-01 20:39:59 208384 ----a-w- c:\windows\system32\dvdplay.exe
2009-10-01 20:39:59 171008 ----a-w- c:\windows\system32\dvdupgrd.exe
2009-10-01 20:39:58 163840 ----a-w- c:\windows\system32\dumprep.exe
2009-10-01 20:39:57 198656 ----a-w- c:\windows\system32\drwtsn32.exe
2009-10-01 20:39:54 236544 ----a-w- c:\windows\system32\dpvsetup.exe
2009-10-01 20:39:54 171008 ----a-w- c:\windows\system32\dpnsvr.exe
2009-10-01 20:39:53 182784 ----a-w- c:\windows\system32\dplaysvr.exe
2009-10-01 20:39:53 163840 ----a-w- c:\windows\system32\doskey.exe
2009-10-01 20:39:52 377856 ----a-w- c:\windows\system32\dmadmin.exe
2009-10-01 20:39:52 168960 ----a-w- c:\windows\system32\dmremote.exe
2009-10-01 20:39:51 157696 ----a-w- c:\windows\system32\dllhst3g.exe
2009-10-01 20:37:36 196608 ----a-w- c:\windows\slrundll.exe
2009-10-01 20:36:01 299520 ----a-w- c:\windows\regedit.exe
2009-10-01 20:34:38 163840 ----a-w- c:\windows\hh.exe
2009-09-25 20:22:14 188928 ----a-w- c:\windows\system32\rcimlby.exe
2009-09-25 20:22:10 500224 ----a-w- c:\windows\system32\tourstart.exe
2009-09-25 20:22:07 296448 ----a-w- c:\windows\system32\mobsync.exe
2009-09-25 20:22:07 222208 ----a-w- c:\windows\system32\notepad.exe
2009-09-25 20:22:04 542208 ----a-w- c:\windows\system32\cmd.exe
2009-09-25 20:22:02 203264 ----a-w- c:\windows\system32\utilman.exe
2009-09-25 20:22:00 368640 ----a-w- c:\windows\system32\osk.exe
2009-09-25 20:21:59 206848 ----a-w- c:\windows\system32\narrator.exe
2009-09-25 20:21:57 225792 ----a-w- c:\windows\system32\magnify.exe

============= FINISH: 21:36:04.92 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 2/22/2008 7:05:22 AM
System Uptime: 11/7/2009 9:33:22 PM (0 hours ago)

Motherboard: Dell Inc | | 0CT103
Processor: AMD Sempron(tm) Processor 3400+ | Socket M2 | 1803/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 146 GiB total, 94.363 GiB free.
E: is CDROM ()
F: is CDROM (CDFS)
G: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Apple Mobile Device Support
Apple Software Update
Bonjour
Call of Duty(R) 4 - Modern Warfare(TM)
Cooking Academy
Dell Resource CD
Game Elements GGE910 Wireless PC Control Pad
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
iTunes
Malwarebytes' Anti-Malware
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Works
MobileMe Control Panel
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
NVIDIA Drivers
Quicken 2001 Deluxe
QuickTime
Safari
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SigmaTel Audio
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

11/7/2009 9:33:51 PM, error: Service Control Manager [7034] - The McciCMService service terminated unexpectedly. It has done this 1 time(s).
11/7/2009 9:02:46 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss Tcpip
11/7/2009 9:02:46 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
11/7/2009 9:02:46 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/7/2009 9:02:46 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/7/2009 9:02:46 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
11/7/2009 9:02:46 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/7/2009 9:02:46 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/7/2009 9:01:45 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
11/7/2009 9:01:40 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/5/2009 6:07:04 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
11/5/2009 12:17:11 AM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
11/5/2009 12:17:06 AM, error: SRService [104] - The System Restore initialization process failed.
11/5/2009 12:05:25 PM, error: Service Control Manager [7000] - The AntiPol service failed to start due to the following error: The system cannot find the file specified.
11/4/2009 10:15:23 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

==== End Of File ===========================
GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-07 22:02:19
Windows 5.1.2600 Service Pack 3
Running: 7wxvyvv2.exe; Driver: C:\DOCUME~1\Bonnie\LOCALS~1\Temp\pgxcapod.sys


---- User code sections - GMER 1.0.15 ----

.data C:\WINDOWS\explorer.exe[2564] C:\WINDOWS\explorer.exe entry point in ".data" section [0x010FF000]
.text C:\WINDOWS\explorer.exe[2564] C:\WINDOWS\explorer.exe section is writeable [0x0111F000, 0x28208, 0xE0000020]
.data C:\WINDOWS\explorer.exe[2564] C:\WINDOWS\explorer.exe unknown last section [0x01148000, 0x1E00, 0xC0000040]

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACvitxgxnx.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACvitxgxnx.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACupkmlatv.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACaowpyebn.dat
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACpyrgovof.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACronqodlj.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACedaelyib.dll
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACnbodlsxd.log
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACdcjsnkcb.log
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACoeaddhsd.log
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACxweecriv.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----

Blade81
2009-11-08, 14:28
Hi,

Seems that you missed this Do NOT run 'FIXES' (ComboFix etc) without being asked (http://forums.spybot.info/showthread.php?t=16806) topic. Post contents of c:\ComboFix.txt log, please.

whodat31
2009-11-08, 16:47
You are right I missed that. I did try to run combo fix before I posted here. I am sorry. I thought that maybe I could fix it without help and of course I was wrong. Once again sorry. My brother did too. but now I have brought the computer to my house so I am in total control of it from now on.

I cant find the combo fix report anywhere on the computer. When I did try to run it before it never would finish it would get to stage 50 then would say sytem file is corrupte and the file is userinit.exe and it stops there.

Sorry for all the trouble.

Brian

Blade81
2009-11-08, 16:56
Hi,

Ok. Delete your old copy of ComboFix.exe.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Download Combofix*from any of the links below. You must*rename (use eatMalware.exe as name) it before saving it. Save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
--------------------------------------------------------------------

Double click on eatMalware.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a fresh dds log*so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Blade81
2009-11-16, 09:46
Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.