Author Topic: NVSVCPMMWindowClass problem (Read 19325 times)

mb7317 · « **on:** August 20, 2011, 06:23:47 PM »

Hi. I'm not sure if this is the place to post this, but if it isn't I would appreciate information about where to go.

I have an HP computer with XP Media Center, and I'm running Avast free and Malwarebytes Pro.

During the last week, Avast has been blocking a lot of Malicious URLs with ips from ISprime, and Maywarebytes has been blocking Trojans, many from System32\authz32.dll

Yesterday, the ISprime problems stopped, and I thought things were back to normal.

However, when I booted up this morning, the bottom third of the screen looked like a spreadsheet: 10 rows and 10 columns, each with NVSVCPMMWindowClass written in it.

CPU usage was 100%, but I managed to close the NVSVCPMMWindowClass, which were listed in the Applications window of Task Manager.

When Firefox finally opened, none of the opened tabs was listed in the task bar, and when I hovered over the task bar, the arrow became an hourglass, and I was unable to click on any of the icons in my quick-launch toolbar, the system tray, or on the start button.

Rebooting brought up the same situation.

I tried to restore the system to several past points, but all were unsuccessful.

I've Googled but can't find anything that comes close to this problem.

Over the past week, I've done repeated scans with Avast and Malwarebytes, but they only find cookies.

As I said, I will be grateful for any help you can offer, or if you can steer me to the proper forum or help site.

Thanks!

Rob

Pondus · « **Reply #1 on:** August 20, 2011, 09:15:52 PM »

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here and not in the guide )

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTL log ) save OTL log as ANSI

Essexboy will look at the logs when posted...

mb7317 · « **Reply #2 on:** August 21, 2011, 10:48:31 PM »

Help!

I ran the Malwarebytes scan, but when I try to download the OTC file, Avast blocks it with this message:

Infection Details

URL:   http://oldtimer.geekstogo.com/OTL.exe
Process:   file://C:\Program Files (x86)\Mozilla Fi...
Infection:   win32:Rootkit-gen [Rtk]
Warn your friends to avoid this website

What do I do?

Rob

Pondus · « **Reply #3 on:** August 21, 2011, 10:58:47 PM »

ignore, it is a false positive detection from avast...
OTL is a analysis tool....

polonus · « **Reply #4 on:** August 21, 2011, 11:12:36 PM »

Well funny Pondus, because the FP is also found up by DrWeb's:
Checking: -http://oldtimer.geekstogo.com/OTL.exe
Engine version: 5.0.2.3300
File size: 566.50 KB
File MD5: 6e33d273cb098f6bfe9ab5c57292e57e

-http://oldtimer.geekstogo.com/OTL.exe infected with Trojan.Siggen3.1755
and more detect the packer....and SavedLegacySettings 0x3c00etc.
A whole series of av solutions flag it: http://www.virustotal.com/file-scan/report.html?id=deed2ed5f51ec938dfee9f58300e490cc08a03bf0ae5f90e95fa38277c172c74-1313956813
15 /43 (34.9%) See: http://anubis.iseclab.org/?action=result&task_id=1a2445238971c52c491a2a27eed175e06
See: http://www.threatexpert.com/report.aspx?md5=6e33d273cb098f6bfe9ab5c57292e57e

But as far as I can establish it is the packer, PE_Patch.PECompactm flagged as trojan, but actually it is goodware,

polonus

Pondus · « **Reply #5 on:** August 21, 2011, 11:15:26 PM »

yep we have seen this before.....

i will upload an FP case to Avira... to see what they say

essexboy · « **Reply #6 on:** August 21, 2011, 11:15:55 PM »

I have uploaded it again as a FP

mb7317 · « **Reply #7 on:** August 22, 2011, 01:39:04 AM »

I have run Malwarebytes and OTL, but I cannot open Malwarebytes to get to the log. Is it ok to run both programs in Safemode tomorrow and post them then? Also, OTL generated only OTL.txt but no Extras.Txt

DavidR · « **Reply #8 on:** August 22, 2011, 02:08:05 AM »

Quote from: essexboy on August 21, 2011, 11:15:55 PM

I have uploaded it again as a FP

I have just downloaded it and no alert by the web shield or file system shield or right click scan. So looks like it may have been resolved.

essexboy · « **Reply #9 on:** August 22, 2011, 02:58:48 PM »

A safe mode run will be OK - The extras is only generated on the first run

Pondus · « **Reply #10 on:** August 22, 2011, 03:12:17 PM »

Quote from: Pondus on August 21, 2011, 11:15:26 PM

yep we have seen this before.....

i will upload an FP case to Avira... to see what they say

The file 'OTL.exe' has been determined to be 'FALSE POSITIVE'.In particular this means that this file is not malicious but a false alarm.Our analysts named the threat TR/Swisyn.bsgf.1.The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection is added to our virus definition file (VDF) starting with version 7.11.13.154.Detection will be removed from our virus definition file (VDF) with the next updates.

mb7317 · « **Reply #11 on:** August 22, 2011, 05:42:47 PM »

Here are the Malwarebytes and OTL logs. The aswMBR scan seemed to stall after 1 hour and 40 minutes. I'm rerunning it and will post the log when it finishes.

Rob

mb7317 · « **Reply #12 on:** August 22, 2011, 05:44:45 PM »

Only one file got attached. Trying again.

essexboy · « **Reply #13 on:** August 22, 2011, 06:21:25 PM »

People can fly - must be the new malware company

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following
Quote
:OTL
PRC - [2011/08/19 10:23:16 | 000,711,680 | ---- | M] (People Can Fly) -- C:\WINDOWS\system32\kbdfc32.exe
PRC - [2011/08/19 10:23:16 | 000,711,680 | ---- | M] (People Can Fly) -- C:\WINDOWS\system32\authz32.exe
SRV - [2011/08/19 10:23:16 | 000,711,680 | ---- | M] (People Can Fly) [Auto | Running] -- C:\WINDOWS\system32\kbdfc32.exe -- (GearSecurity32)
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 213.27.237.144:80
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 213.27.237.144:80
IE - HKU\S-1-5-21-3940758362-3715129102-3176117121-1007\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-3940758362-3715129102-3176117121-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 213.27.237.144:80
IE - HKU\S-1-5-21-3940758362-3715129102-3176117121-1013\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)"
FF - prefs.js..browser.search.defaulturl: "http://search.babylon.com/web/{searchTerms}?babsrc=browsersearch"
FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
FF - prefs.js..network.proxy.backup.ftp: "77.125.76.62"
FF - prefs.js..network.proxy.backup.ftp_port: 11033
FF - prefs.js..network.proxy.backup.gopher: "77.125.76.62"
FF - prefs.js..network.proxy.backup.gopher_port: 11033
FF - prefs.js..network.proxy.backup.socks: "77.125.76.62"
FF - prefs.js..network.proxy.backup.socks_port: 11033
FF - prefs.js..network.proxy.backup.ssl: "77.125.76.62"
FF - prefs.js..network.proxy.backup.ssl_port: 11033
FF - prefs.js..network.proxy.ftp: "82.29.254.40"
FF - prefs.js..network.proxy.ftp_port: 11022
FF - prefs.js..network.proxy.gopher: "82.29.254.40"
FF - prefs.js..network.proxy.gopher_port: 11022
FF - prefs.js..network.proxy.http: "82.29.254.40"
FF - prefs.js..network.proxy.http_port: 11022
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "82.29.254.40"
FF - prefs.js..network.proxy.socks_port: 11022
FF - prefs.js..network.proxy.ssl: "82.29.254.40"
FF - prefs.js..network.proxy.ssl_port: 11022
O2 - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - File not found
O4 - HKU\S-1-5-21-3940758362-3715129102-3176117121-1007..\Run: [updateMgr] File not found
[2011/08/21 16:13:20 | 000,158,208 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\authz32.dll
[2011/08/19 10:23:55 | 000,711,680 | ---- | C] (People Can Fly) -- C:\WINDOWS\System32\authz32.exe
[2011/08/19 10:23:43 | 000,711,680 | ---- | C] (People Can Fly) -- C:\WINDOWS\System32\kbdfc32.exe
[2011/08/21 16:13:24 | 000,000,100 | ---- | M] () -- C:\WINDOWS\System32\581566835
[2011/08/21 16:13:20 | 000,158,208 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\authz32.dll
[2011/08/19 10:23:16 | 000,711,680 | ---- | M] (People Can Fly) -- C:\WINDOWS\System32\kbdfc32.exe
[2011/08/19 10:23:16 | 000,711,680 | ---- | M] (People Can Fly) -- C:\WINDOWS\System32\authz32.exe

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

mb7317 · « **Reply #14 on:** August 22, 2011, 10:02:55 PM »

The aswMBR scan was successful. Attached in the log.

Author Topic: NVSVCPMMWindowClass problem (Read 19325 times)

mb7317

NVSVCPMMWindowClass problem

Pondus

Re: NVSVCPMMWindowClass problem

mb7317

Re: NVSVCPMMWindowClass problem

Pondus

Re: NVSVCPMMWindowClass problem

polonus

Re: NVSVCPMMWindowClass problem

Pondus

Re: NVSVCPMMWindowClass problem

essexboy

Re: NVSVCPMMWindowClass problem

mb7317

Re: NVSVCPMMWindowClass problem

DavidR

Re: NVSVCPMMWindowClass problem

essexboy

Re: NVSVCPMMWindowClass problem

Pondus

Re: NVSVCPMMWindowClass problem

mb7317

Re: NVSVCPMMWindowClass problem

mb7317

Re: NVSVCPMMWindowClass problem

essexboy

Re: NVSVCPMMWindowClass problem

mb7317

Re: NVSVCPMMWindowClass problem