Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown infection, I keep removing it through AVG and it keeps comming back


  • This topic is locked This topic is locked
2 replies to this topic

#1 kindredwarr

kindredwarr

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 28 April 2009 - 09:25 PM

Hi, I got a pretty bad unknown infection yesterday. I think I managed to get rid of some of it, but whenever I run AVG to make sure I'm clean, it keeps finding more trojans, as if it didn't even find anything in the first place.
I had removed ntos.exe and video.dll and audio.dll that were in a folder called wsnpoem or something. I thought finally being able to get rid of those files would help, but nothing seems to give, the virus seem to keep coming back. It's kind of like the cold I have right now actually :thumbup2:

I forgot to mention, I keep randomly getting a pop up for some poker website, and a windows notification that I can make money by press the button or somethign to that effect.

As mentioned in the topic description, I've also ran malwarebytes (which refuses to update for some reason, hell I can't even get into the website on this computer) and DDS doesn't run past the black screen and produce any files, so all I have right now is the HJT log, sorry.

I beg for some help on this, I've never been this frustrated with an infection before.

I also because of #8 on the Prep. Guide I want to mention I have posted a thread requesting help last night at the malwarebytes forum, but as mentioned, I can't even log into the website making it a bit of a pain for me to find if I've received a reply as well as read it and especially to follow through on any directions so please don't close this thread on me. I swear I won't be cross referencing answers, or go back and fourth and get conflicting answers. So please please please don't close this thread on me because of that.

Edit: There was quite a bit of weirdness, including my printer not being there, and all my settings are totally borked... not sure wtf happened, I'm kind of thinking this may be a lost cause... however, I got DDS to run so I attached the proper file and pasting the dds txt


DDS (Ver_09-03-16.01) - NTFSx86
Run by Warren at 22:51:22.68 on Tue 04/28/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = www.cox.net
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [Diagnostic Manager] c:\windows\temp\3848463594.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\extend~1.lnk - c:\windows\ehome\RMSysTry.exe
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Transfer by Image Converter 2 Plus - c:\program files\sony\image converter 2\menu.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: antimalwareguard.com
Trusted Zone: turbotax.com
Trusted Zone: antimalwareguard.com
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1154037504015
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {6C1CDEFE-972F-45B7-89B4-896B6B9BE9F1} = 68.105.28.12,68.105.29.12
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: VESWinlogon - VESWinlogon.dll
AppInit_DLLs: iwxnlf.dll c:\windows\system32\fohuvefa.dll ,c:\progra~1\thunmail\testabd.dll,
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\warren\applic~1\mozilla\firefox\profiles\jwkssby3.default\
FF - prefs.js: browser.startup.homepage - hxxp://login.live.com/login.srf?id=2
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCID.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============


============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-04-28 22:11 17,376 a------- c:\windows\system32\drivers\ljdec1e.sys
2009-04-28 21:45 96,128 ac------ c:\windows\system32\dllcache\ati.dll
2009-04-28 21:44 7,168 ac------ c:\windows\system32\dllcache\wamregps.dll
2009-04-28 21:44 66,048 ac------ c:\windows\system32\dllcache\s3legacy.dll
2009-04-28 21:44 19,968 ac------ c:\windows\system32\dllcache\inetsloc.dll
2009-04-28 21:44 7,680 ac------ c:\windows\system32\dllcache\inetmgr.exe
2009-04-28 21:44 169,984 ac------ c:\windows\system32\dllcache\iisui.dll
2009-04-28 21:44 14,336 ac------ c:\windows\system32\dllcache\iisreset.exe
2009-04-28 21:44 5,632 ac------ c:\windows\system32\dllcache\iisrstap.dll
2009-04-28 21:44 6,144 ac------ c:\windows\system32\dllcache\ftpsapi2.dll
2009-04-28 21:44 94,720 ac------ c:\windows\system32\dllcache\certmap.ocx
2009-04-28 21:44 <DIR> --d----- c:\windows\LastGood.Tmp
2009-04-28 21:44 16,439 ac------ c:\windows\system32\dllcache\admin.exe
2009-04-28 19:56 <DIR> --d----- c:\windows\system32\3361
2009-04-28 19:56 108,336 a------- c:\windows\system32\MSWINSCK.OCX
2009-04-28 19:56 <DIR> --d----- c:\windows\dhcp
2009-04-28 18:56 17,376 a------- c:\windows\system32\drivers\qkjc6a2.sys
2009-04-28 18:56 124 a------- c:\windows\system32\17.tmp
2009-04-28 14:59 <DIR> --d----- c:\program files\FileASSASSIN
2009-04-28 14:32 <DIR> --d----- c:\program files\GiPo@Utilities
2009-04-28 14:32 <DIR> --d----- c:\program files\common files\Gibinsoft Shared
2009-04-28 13:24 <DIR> --d----- c:\windows\ERUNT
2009-04-27 13:35 664 a------- c:\windows\system32\d3d9caps.dat
2009-04-27 13:33 578,560 a------- c:\windows\system32\wrckaa
2009-04-27 13:33 31,232 a------- C:\syxm.exe
2009-04-27 13:33 290,304 a------- C:\budcxy.exe
2009-04-27 13:13 0 a------- c:\windows\mqcd.dbt
2009-04-27 13:13 0 a------- c:\windows\system32\1D2.tmp
2009-04-27 13:13 61,440 a------- c:\windows\system32\1D1.tmp
2009-04-27 13:13 <DIR> --d----- c:\windows\system32\796525
2009-04-27 13:13 152,064 a------- c:\windows\system32\1CF.tmp
2009-04-27 13:13 124 a------- c:\windows\system32\1CE.tmp
2009-04-27 13:12 89,596 a------- c:\windows\system32\drivers\832c8131.sys
2009-04-27 13:12 28,672 a------- c:\windows\system32\inqby.sr
2009-04-27 13:12 32,768 a------- c:\windows\system32\ferryl.cbv
2009-04-27 13:12 32,768 a------- c:\windows\system32\fairy.an
2009-04-27 13:12 79,360 a------- c:\windows\system32\ashl.nq
2009-04-27 13:12 28,672 a------- c:\windows\system32\dolman.zt
2009-04-27 13:12 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-04-27 13:12 290,304 a------- C:\kggi.exe
2009-04-24 19:32 <DIR> --d----- c:\program files\Free Fire Screensaver
2009-04-24 19:32 <DIR> --d----- c:\docume~1\warren\applic~1\Laconic Software
2009-04-24 19:31 540,672 a------- c:\windows\system32\Holding Pattern Coach.scr
2009-04-24 19:31 <DIR> --d----- c:\windows\system32\Holding Pattern Coach dir
2009-04-24 19:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\dscollect
2009-04-24 15:10 <DIR> --d----- c:\program files\common files\CyberLink
2009-04-24 15:09 29,480 a------- c:\windows\system32\msxml3a.dll
2009-04-24 14:51 <DIR> --d----- c:\program files\Uniblue
2009-04-24 14:24 <DIR> --d----- c:\program files\Corel
2009-04-09 19:08 2,036,576 a------- c:\windows\system32\D3DCompiler_40.dll
2009-04-09 19:08 452,440 a------- c:\windows\system32\d3dx10_40.dll
2009-04-09 19:08 235,856 a------- c:\windows\system32\xactengine3_3.dll
2009-04-09 19:07 <DIR> --d----- c:\windows\95FC26FB19FD4A96BBB1B1062E8648F5.TMP
2009-04-09 18:43 <DIR> --d----- c:\program files\Codemasters
2009-04-08 09:50 361,600 a------- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-04-07 18:57 <DIR> --d----- c:\program files\PS3 Media Server
2009-04-03 07:02 <DIR> --d----- c:\program files\Stardock Games
2009-04-01 10:04 <DIR> --d----- c:\program files\PeerGuardian2
2009-03-31 14:42 <DIR> --d----- C:\0922a2c3187267282bbc
2009-03-30 23:25 47,624 a---h--- c:\windows\system32\mlfcache.dat
2009-03-30 23:24 <DIR> --d----- c:\program files\Bonjour
2009-03-30 12:39 <DIR> --d----- c:\program files\common files\AnswerWorks 5.0

==================== Find3M ====================

2009-04-27 13:18 182,656 ac------ c:\windows\system32\drivers\ndis.sys
2009-04-27 13:12 578,560 a------- c:\windows\system32\user32.DLL
2009-04-24 15:08 505,128 a------- c:\windows\system32\msvcp71.dll
2009-04-08 09:50 361,600 a------- c:\windows\system32\drivers\TCPIP.SYS
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-19 23:15 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-05 11:54 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-02-03 14:32 1,630 a------- c:\docume~1\warren\applic~1\wklnhst.dat
2008-08-27 16:38 22,328 a------- c:\docume~1\warren\applic~1\PnkBstrK.sys
2006-10-26 22:17 1 a------- c:\documents and settings\warren\SI.bin

============= FINISH: 22:52:05.14 ===============

Attached Files


Edited by kindredwarr, 29 April 2009 - 12:58 AM.


BC AdBot (Login to Remove)

 


#2 kindredwarr

kindredwarr
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 29 April 2009 - 01:03 AM

okay.. sorry, just close out this thread, I'm going to use a system restore, for whatever reason my sound also decided to stop working, not sure what happened, but I think this is a bit easier.

Edited by kindredwarr, 29 April 2009 - 01:04 AM.


#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:03:23 AM

Posted 01 May 2009 - 05:16 AM

Thanks for informing us.
Good luck.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users