PDA

View Full Version : JeffeVerde - Analysis Request



JeffeVerde
2012-03-25, 20:47
Changing a desktop system from wired network connection to USB-wireless adapter. Upon setup, the adapter succesfully connects to the router, then fails to this cycle of disconnecting for 2-seconds, reconnecting for 5-seconds, disconnect for 2-seconds, reconnect..... indefinitely.

Ran Malwarebytes and found 4 browser hijackers and two old, archived files with W32.Magistr.39921@mm (these old files have not been accessed in several years).

Thank you in advance for your help

==================================================
DDS LOG 20120325
==================================================
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0_22
Run by Geoff at 10:18:22 on 2012-03-25
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1983.1561 [GMT -8:00]
.
.
============== Running Processes ===============
.
E:\WINNT\system32\spoolsv.exe
E:\WINNT\system32\netdde.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
E:\PROGRA~1\MICROS~4\MSSQL$~2\binn\sqlservr.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\WINNT\Explorer.EXE
E:\Program Files\Norton AntiVirus\SAVScan.exe
E:\Program Files\SalesLogix\SLXOleDBProvider.exe
E:\WINNT\system32\stisvc.exe
E:\Program Files\SalesLogix\SlxDBServer.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINNT\system32\VTTimer.exe
E:\Program Files\Microsoft IntelliType Pro\type32.exe
E:\Program Files\Common Files\Java\Java Update\jusched.exe
E:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
E:\Program Files\NETGEAR\WG111v3\WG111v3.exe
E:\Program Files\TRENDnet\TEW-424UB\WlanCU.exe
E:\WINNT\system32\wuauclt.exe
E:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
E:\WINNT\System32\SCardSvr.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - e:\program files\snagit 6\SnagItBHO.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - e:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - e:\program files\norton antivirus\NavShExt.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - e:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - e:\program files\snagit 6\SnagItIEAddin.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - e:\program files\norton antivirus\NavShExt.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
uRun: [Messenger (Yahoo!)] "e:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [updateMgr] "e:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
mRun: [DAEMON Tools-1033] "e:\program files\utils\daemon-tools\daemon.exe" -lang 1033
mRun: [ccApp] "e:\program files\common files\symantec shared\ccApp.exe"
mRun: [Advanced Tools Check] e:\progra~1\norton~1\advtools\ADVCHK.EXE
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [NvCplDaemon] RUNDLL32.EXE e:\winnt\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE e:\winnt\system32\NvMcTray.dll,NvTaskbarInit
mRun: [VTTimer] VTTimer.exe
mRun: [QuickTime Task] "e:\program files\quicktime\qttask.exe" -atboottime
mRun: [type32] "e:\program files\microsoft intellitype pro\type32.exe"
mRun: [SunJavaUpdateSched] "e:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "e:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [ALUAlert] e:\program files\symantec\liveupdate\ALUNotify.exe
dRunOnce: [^SetupICWDesktop] e:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: e:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - e:\program files\intervideo\common\bin\WinCinemaMgr.exe
StartupFolder: e:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - e:\program files\netgear\wg111v3\WG111v3.exe
StartupFolder: e:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - e:\program files\trendnet\tew-424ub\WlanCU.exe
StartupFolder: e:\docume~1\alluse~1\startm~1\programs\startup\not\adober~1.lnk - e:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: e:\docume~1\alluse~1\startm~1\programs\startup\not\micros~1.lnk - e:\program files\microsoft office\office\OSA9.EXE
IE: Download all with Free Download Manager - file://e:\program files\free download manager\dlall.htm
IE: Download Images by Picture Finder - e:\program files\super picture finder grabber\pf_link.htm
IE: Download selected with Free Download Manager - file://e:\program files\free download manager\dlselected.htm
IE: Download web site with Free Download Manager - file://e:\program files\free download manager\dlpage.htm
IE: Download with Free Download Manager - file://e:\program files\free download manager\dllink.htm
IE: Visit in &3D using ExitReality - http://3d.exitreality.com/TransmogrifyPage.htm
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - e:\program files\pokerstars\PokerStarsUpdate.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - e:\program files\aim95\aim.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
Trusted Zone: edison.com\www
Trusted Zone: rockler.com\www
DPF: DirectAnimation Java Classes - file://e:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://e:\winnt\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{1D4C3EB5-41D1-43EF-AE3E-899E5FCD9414} : DhcpNameServer = 192.168.1.254
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - e:\program files\common files\microsoft shared\web folders\pkmcdo.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - e:\documents and settings\geoff.csg20\application data\mozilla\firefox\profiles\1kuypueh.default\
FF - prefs.js: browser.search.selectedEngine - GoogleFeed.net
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://smartwebsearch.net/results.php?q=
FF - plugin: e:\documents and settings\geoff.csg20\application data\mozilla\firefox\profiles\1kuypueh.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: e:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: e:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - e:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: http://forums.spybot.info/misc.php?do=email_dev&email=anFzQHN1bi5jb20= - e:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: LogMeIn, Inc. Remote Access Plugin: http://forums.spybot.info/misc.php?do=email_dev&email=TG9nTWVJbkNsaWVudEBsb2dtZWluLmNvbQ== - %profile%\extensions\LogMeInClient@logmein.com
.
============= SERVICES / DRIVERS ===============
.
R0 stwlfbus;stwlfbus;e:\winnt\system32\drivers\stwlfbus.sys [2003-4-27 8704]
R1 SAVRT;SAVRT;e:\program files\norton antivirus\SAVRT.SYS [2004-4-14 308416]
R1 SAVRTPEL;SAVRTPEL;e:\program files\norton antivirus\SAVRTPEL.SYS [2004-4-14 37056]
R2 ccEvtMgr;Symantec Event Manager;e:\program files\common files\symantec shared\CCEVTMGR.EXE [2004-4-14 255136]
R2 ccSetMgr;Symantec Settings Manager;e:\program files\common files\symantec shared\CCSETMGR.EXE [2004-4-14 234656]
R2 EAPPkt;Realtek EAPPkt Protocol;e:\winnt\system32\drivers\EAPPkt.sys [2007-10-9 38144]
R2 MBAMService;MBAMService;e:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-3-24 652360]
R2 MSSQL$CSG20SQL2K;MSSQL$CSG20SQL2K;e:\progra~1\micros~4\mssql$~2\binn\sqlservr.exe -scsg20sql2k --> e:\progra~1\micros~4\mssql$~2\binn\sqlservr.exe -sCSG20SQL2K [?]
R2 navapsvc;Norton AntiVirus Auto Protect Service;e:\program files\norton antivirus\NAVAPSVC.EXE [2004-6-2 158848]
R2 SAVScan;SAVScan;e:\program files\norton antivirus\SAVSCAN.EXE [2004-4-14 193816]
R2 SlxOleDB;SalesLogix OLEDB Provider;e:\program files\saleslogix\SLXOleDBProvider.exe [2003-5-6 367616]
R2 Symantec Core LC;Symantec Core LC;e:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2003-9-30 585728]
R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;e:\winnt\system32\drivers\WLNdis50.sys [2012-3-13 20480]
R3 MBAMProtector;MBAMProtector;e:\winnt\system32\drivers\mbam.sys [2012-3-24 18800]
R3 NAVENG;NAVENG;e:\progra~1\common~1\symant~1\virusd~1\20040602.017\NAVENG.Sys [2004-6-2 68168]
R3 NAVEX15;NAVEX15;e:\progra~1\common~1\symant~1\virusd~1\20040602.017\NavEx15.Sys [2004-6-2 600264]
R3 st3wolf;st3wolf;e:\winnt\system32\drivers\st3wolf.sys [2003-4-27 99360]
R3 usbhub20;USB 2.0 Root Hub Support;e:\winnt\system32\drivers\usbhub20.sys [2008-12-19 49776]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;e:\program files\postgresql\8.3\bin\pg_ctl.exe [2008-9-19 65536]
S2 SBService;ScriptBlocking Service;e:\progra~1\common~1\symant~1\script~1\SBServ.exe [2003-6-24 66784]
S3 ccPwdSvc;Symantec Password Validation;e:\program files\common files\symantec shared\CCPWDSVC.EXE [2004-4-14 87200]
S3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;e:\winnt\system32\drivers\wg111v3.sys [2009-7-31 341504]
S3 SQLAgent$CSG20SQL2K;SQLAgent$CSG20SQL2K;e:\progra~1\micros~4\mssql$~2\binn\sqlagent.exe -i csg20sql2k --> e:\progra~1\micros~4\mssql$~2\binn\sqlagent.exe -i CSG20SQL2K [?]
S3 trid3d;trid3d;e:\winnt\system32\drivers\trid3dm.sys [2002-2-25 121292]
S3 viafilter;VIA USB Filter;e:\winnt\system32\drivers\viausb.sys [2002-2-25 9038]
S4 NProtectService;Norton Unerase Protection;e:\program files\norton antivirus\advtools\NPROTECT.EXE [2003-9-30 135168]
.
=============== Created Last 30 ================
.
2012-03-25 02:18:24 -------- d-----w- e:\documents and settings\geoff.csg20\application data\Malwarebytes
2012-03-25 02:18:04 -------- d-----w- e:\documents and settings\all users\application data\Malwarebytes
2012-03-25 02:18:00 18800 ----a-w- e:\winnt\system32\drivers\mbam.sys
2012-03-25 02:18:00 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2012-03-24 20:06:39 -------- d-----w- e:\program files\NETGEAR
2012-03-13 08:01:19 -------- d-----w- e:\winnt\WlanGINA
2012-03-13 08:00:13 19969 ----a-w- e:\winnt\system32\drivers\AegisP.sys
2012-03-13 08:00:08 20480 ----a-w- e:\winnt\system32\drivers\WLNdis50.sys
2012-03-13 07:59:59 264576 ----a-w- e:\winnt\system32\drivers\RTL8187B.sys
2012-03-13 07:59:59 -------- d-----w- e:\program files\TRENDnet
.
==================== Find3M ====================
.
2008-03-13 17:23:55 774144 ----a-w- e:\program files\RngInterstitial.dll
.
============= FINISH: 10:19:42.43 ===============

Edit

Helpers in malware removal forums are unlikely to respond and try to clean an operating system that is no longer supported and therefore cannot be updated or patched.

Further, the tools most often used for manual removals do not work on legacy systems.
http://forums.spybot.info/showpost.php?p=25290&postcount=4

http://support.microsoft.com/gp/lifean35