Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown infection???


  • This topic is locked This topic is locked
3 replies to this topic

#1 kawidood

kawidood

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 26 April 2009 - 02:25 AM

Hey all,

2 or 3 days ago I started having some problems with a program called Folder Lock, which hides folders. On friday, when I tried to download a new version of that program, the computer shut down and for a second I saw a screen that had some options, one of which said "infected". Anyway, I've run a multitude of AV's (including Malware, Superantispyware, Avira (free), Avast (free) and Kaspersky (paid)). None of them found anything serious. Tonight I paid for Norton Internet Security and when I try to load it up, something is blocking me from getting to Nortons' website. I WAS able to download it originally, but the file that was downloaded was twice the size it should've been and when I try to set it up, nothing happens. I tried going to an old restore point, and when I did that, something disabled my Kaspersky. I tried running in SafeMode, with no success. All this leads me to believe I have something serious in the computer. Help!!!!:thumbup2:



Here is the DDS log.


DDS (Ver_09-03-16.01) - NTFSx86
Run by User at 3:15:35.90 on Sun 04/26/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1454 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated)
AV: avast! antivirus 4.8.1335 [VPS 090425-0] *On-access scanning enabled* (Updated)
AV: Kaspersky Internet Security *On-access scanning enabled* (Updated)
FW: Kaspersky Internet Security *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\aol\1238391654\ee\aolsoftware.exe
C:\Program Files\AOL 9.5\waol.exe
C:\Program Files\AOL 9.5\shellmon.exe
C:\Documents and Settings\User\My Documents\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page =
uSearch Bar =
mSearchAssistant =
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AOL Fast Start] "c:\program files\aol 9.5\AOL.EXE" -b
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
IE: {10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\user\start menu\programs\ultimatebet\UltimateBet.lnk
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {725E77D3-B919-4eef-8EEE-D09DE618B6C1} - c:\microgaming\poker\doylesroommpp\MPPoker.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - hxxps://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://instantgreetings.aol.com/prod/install.html
DPF: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs:

c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll

,
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\e7vtvrip.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.speedbit.com/searchresults.asp?src=default&q=

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-4-19 114768]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-4-24 11608]
R1 Cinemsup;Cinemsup;c:\windows\system32\drivers\cinemsup.sys [2003-12-19 6656]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2008-8-7 213520]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-2-17 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-4-24 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-4-24 185089]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-4-19 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-4-19 138680]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-3-22 55640]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-7-29 206088]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-4-19 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-4-19 352920]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\user\locals~1\temp\alsysio.sys --> c:\docume~1\user\locals~1\temp\ALSysIO.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys --> c:\windows\system32\drivers\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys --> c:\windows\system32\drivers\motccgpfl.sys [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2008-12-10 7808]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-04-26 03:08 268,648 a------- c:\windows\system32\mucltui.dll
2009-04-26 03:08 208,744 a------- c:\windows\system32\muweb.dll
2009-04-26 03:08 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-04-26 03:03 <DIR> --d----- c:\program files\NortonInstaller
2009-04-26 03:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-04-26 02:37 <DIR> --d----- c:\documents and settings\all users\Symantec Temporary Files
2009-04-24 19:32 <DIR> --d----- c:\program files\Avira
2009-04-24 19:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-04-19 15:18 65,828 a------- C:\VETlog.dmp
2009-04-19 04:04 <DIR> --d----- c:\docume~1\user\applic~1\IObit
2009-04-19 04:04 <DIR> --d----- c:\program files\IObit
2009-04-19 03:55 <DIR> --d----- c:\program files\a-squared HiJackFree
2009-04-19 03:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-19 03:20 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-19 03:20 <DIR> --d----- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2009-04-17 19:27 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-17 19:27 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 19:27 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-17 19:27 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-17 19:27 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 19:27 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-17 19:27 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 19:27 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-17 19:27 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-17 19:27 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-17 19:27 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-17 19:27 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-01 02:29 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-30 01:41 33,588 a----r-- c:\windows\system32\drivers\wanatw4.sys
2009-03-30 01:40 <DIR> --d----- c:\program files\common files\aolshare
2009-03-30 01:40 <DIR> --d----- c:\program files\common files\aol
2009-03-30 01:40 <DIR> --d----- c:\program files\AOL 9.5

==================== Find3M ====================

2009-04-26 03:15 794,656 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-04-26 03:15 5,892 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-04-26 03:10 101,287 a------- c:\windows\system32\drivers\klin.dat
2009-04-26 03:10 89,601 a------- c:\windows\system32\drivers\klick.dat
2009-04-26 02:41 6,949,408 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-04-26 02:41 57,468 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-04-24 19:24 3,012 a--sh--- c:\windows\system32\sys_drv.dat
2009-04-16 01:59 894 a------- c:\docume~1\user\applic~1\wklnhst.dat
2009-04-01 02:29 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-26 16:49 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 16:49 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-24 07:03 7,808 a------- c:\windows\system32\drivers\psi_mf.sys
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-28 20:36 215,872 a------- c:\windows\system32\drivers\truecrypt.sys
2009-02-20 14:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-11 12:25 499,712 a------- c:\windows\system32\msvcp71.dll
2009-02-11 12:25 348,160 a------- c:\windows\system32\msvcr71.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-05 11:54 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll

============= FINISH: 3:16:39.59 ===============


PS. Kaskpersky has been deactivated and i can't get it up and running again.

Thanks in advance!! I'm so frustrated!!

Edited by kawidood, 26 April 2009 - 02:32 AM.


BC AdBot (Login to Remove)

 


#2 kawidood

kawidood
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 26 April 2009 - 08:34 PM

Hi,

So here's an update. I was able to download Norton Internet Security 2009 by using a mirror site. I installed it and ran a thorough scan and, once again, it came up clean. So now I've used :

NIS 2009 (paid) (high sensitivity) = negative
Kaspersky (paid) (high sensitivity ) = negative
Microsoft Malicious Software Removal Tool = negative
MalwareBytes = negative
Superantispywayre = negative
Avira = negative
Avast = negative

So, now what? I'm still concerned about not being able to get MS updates. I'm still concerned about the quick screen flash I got a few days ago before my PC shut itself down that said I may be infected (couldn't read the whole screen). I still suspect something may be lurking in the background and it's managed to dig itself in and hide. What can I do?

Thanks!

Edited by kawidood, 27 April 2009 - 08:10 PM.


#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:18 AM

Posted 08 May 2009 - 01:57 AM

Hello kawidood,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:18 AM

Posted 20 May 2009 - 10:41 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users