Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with heur.invader? - Immune against KAV,MBAM,SAS,Avira,Comodo IS & A-squared. Help appreciated!


  • This topic is locked This topic is locked
15 replies to this topic

#1 yoyokev

yoyokev

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:01 AM

Posted 10 June 2009 - 03:56 PM

Hi there,

First of all, thanks in advance for your help. So here's the rundown of my issue:

- February 2009: My Kaspersky Anti-virus subscription expired, and I foolishly just ignored it and only relied on my firewall (Comodo) without installing any other antivirus
- March 2009: While I was on MSN Messenger, suddenly I couldn't type more than a letter before it skips to the next line, and then would suddenly open and close programs if I point my mouse near it. It is like once the malware activates, it simulates someone holding down the 'enter' key.

- March 2009: So I downloaded the slew of anti-malware programs, e.g. MBAM, Superantispyware, A-squared, and they caught some random adware and spyware programs and supposedly was able to remove it. I also downloaded Comodo Internet Security and Avira, and did scans as well as a KAV Online scan as well as this MSN virus remover, and they both showed up free of infections.
- April 2009: However, when I occasionally go on MSN, the infection somehow activates itself and freezes the computer. Then, I ran my outdated KAV, and it shown up a possible infection of heur.invader.
- June 2009: Now, I tried running the anti-malware programs in safe mode, but it still activates itself, including when the computer boots up, sometimes it just beeps and suddenly turns the computer off.

I don't even know where to start, as my teenage cousins looked at it and did some things (not sure what he did), but still nothing good came out of it.
My cousins occasionally use the computer while I'm at work (but not anymore after this)...so I have no idea what they do to it.

Below is my .dds file, and hopefully you can give me some pointers on where to start to fix this. Thank you very much for your help!!!

Cheers,

Kevin

DDS (Ver_09-05-14.01) - NTFSx86
Run by Kevin at 12:59:19.46 on 10/06/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.2549.1402 [GMT -7:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: ThreatFire *On-access scanning enabled* (Updated) {67B2B9A1-25C8-4057-962D-807958FFC9E3}

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - c:\program files\pdfforge toolbar\WidgiToolbarIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - c:\program files\pdfforge toolbar\WidgiToolbarIE.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Google Update] "c:\users\kevin\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [HWSetup] c:\program files\toshiba\utilities\HWSetup.exe hwSetUP
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
dRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 7.0\SCIEPlgn.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: live.com\login
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\kevin\appdata\roaming\mozilla\firefox\profiles\f23bquzn.default\
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - component: c:\program files\mozilla firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\photosynth\tech preview\nppsynth.dll
FF - plugin: c:\users\kevin\appdata\local\google\update\1.2.145.5\npGoogleOneClick8.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-06-03 23:39 <DIR> --d----- c:\program files\EfficientDiary
2009-06-03 23:02 <DIR> --d----- c:\program files\My Journal
2009-05-28 00:52 <DIR> --d----- c:\program files\common files\xing shared
2009-05-20 23:18 <DIR> --d----- c:\program files\Paint.NET
2009-05-14 11:42 <DIR> --d----- c:\program files\AviSynth 2.5
2009-05-14 11:42 <DIR> --d----- c:\program files\eRightSoft
2009-05-14 11:08 <DIR> --d----- c:\users\kevin\appdata\roaming\FMZilla
2009-05-14 11:08 <DIR> --d----- C:\downloads
2009-05-14 11:08 <DIR> --d----- c:\program files\Free Music Zilla

==================== Find3M ====================

2009-06-09 03:06 37,192,992 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-06-09 03:06 498,308 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-01 11:30 3,366,912 a------- c:\windows\system32\GPhotos.scr
2009-04-28 11:13 143,360 a------- c:\windows\inf\infstrng.dat
2009-04-28 11:13 86,016 a------- c:\windows\inf\infstor.dat
2009-04-28 11:13 51,200 a------- c:\windows\inf\infpub.dat
2009-04-17 17:51 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-04-16 22:03 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_SynTP_01007.Wdf
2009-04-09 01:15 155,384 a------- c:\windows\system32\guard32.dll
2009-03-20 07:36 161,064 a------- c:\windows\system32\SynTPAPI.dll
2009-03-20 07:36 120,104 a------- c:\windows\system32\SynTPCo4.dll
2009-03-20 07:36 206,120 a------- c:\windows\system32\SynCtrl.dll
2009-03-20 07:36 169,256 a------- c:\windows\system32\SynCOM.dll
2009-03-18 04:13 174 a--sh--- c:\program files\desktop.ini
2009-03-17 22:55 665,600 a------- c:\windows\inf\drvindex.dat
2009-03-17 20:13 101,888 a------- c:\windows\system32\ifxcardm.dll
2009-03-17 20:13 82,432 a------- c:\windows\system32\axaltocm.dll
2009-03-16 20:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-16 20:38 13,824 a------- c:\windows\system32\apilogen.dll
2009-03-16 20:38 24,064 a------- c:\windows\system32\amxread.dll
2008-11-22 12:27 9,876,944 a------- c:\program files\WhiteCap_515.exe
2008-09-10 17:21 4,581,808 a------- c:\program files\OutlookConnector.exe
2008-08-09 09:03 4,891,216 a------- c:\program files\Silverlight.2.0.exe
2007-10-20 17:31 47,360 a------- c:\users\kevin\appdata\roaming\pcouffin.sys
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-09-01 04:22 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2007-09-01 04:22 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2007-09-01 04:22 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2006-05-03 03:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 04:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-03-16 06:30 216,064 ---shr-- c:\windows\system32\nbDX.dll
2008-03-12 08:04 112,218,656 a--sh--- c:\windows\system32\drivers\fidbox(199).dat

============= FINISH: 13:02:27.97 ===============

Attachments:
Attach.txt
KAV_Scan.txt

Attached Files



BC AdBot (Login to Remove)

 


m

#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:01 PM

Posted 19 June 2009 - 08:30 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,722 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:01 PM

Posted 23 June 2009 - 04:43 PM

Topic reopened.

@ yoyokev,

Please post the new logs along with an updated description of your issues.

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 yoyokev

yoyokev
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:01 AM

Posted 23 June 2009 - 05:31 PM

Thanks for your help and patience, etavares and Orange Blossom.

June 23: So just an update on what's going on.

Observations:

It seems that this malware is sporadic in when it 'attacks', about once every 2-3 days. It would be terrible for several hours, and I just turn the computer off. Then it would be fine for 1-2 days before it acts up again. As mentioned in my previous post, it keeps on activating the 'refresh' or 'open' type of commands. For example I will be on Google and it just refreshes continuously, as well as opens up multiple windows. The worst thing is when this malware 'activates' itself, it sometimes prevents the computer from booting up as it overloads the computer and I get the dreaded beeping sound from the internal speaker. When I can press F8 fast enough, I have to be super fast to scroll down to safe mode, and even then sometimes in safe mode the computer would still crash.

My attempted actions:

I've ran scans on KAV (outdated database from Feb 09, in addition to an updated online scan), and the updated databases for MBAM, SAS, Avira, A-squared, and Comodo all in conjunction with Threatfire, but it still doesn't seem to get rid of the problem. Currently I'm using the Comodo IS suite, with the Firewall, Defense+, and AV modes all updated and dialed to maximum protection.

Also, I regularly use CCleaner to get rid of temp files. It seems like in the period of a month in February when I foolishly exposed my computer without an AV that the malware crept in and any new anti-malware I downloaded after couldn't get rid of it.

Alas, below is my DDS file, and I've also attached my Comodo AV log (it's currently on On-Access mode, so there are a lot of false positives).

Thanks for your help in advance!!!

Kevin


DDS (Ver_09-05-14.01) - NTFSx86
Run by Kevin at 1:25:13.96 on 23/06/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.2549.1324 [GMT -7:00]

AV: ThreatFire *On-access scanning enabled* (Updated) {67B2B9A1-25C8-4057-962D-807958FFC9E3}
AV: Kaspersky Anti-Virus *On-access scanning enabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
SP: COMODO Defense+ *disabled* (Updated) {043803A4-4F86-4ef7-AFC5-F6E02A79969B}
SP: Avira AntiVir PersonalEdition *enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Kaspersky Anti-Virus *enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: ThreatFire *enabled* (Updated) {79E34F8F-D0AD-48d6-9223-C657C6491F67}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\ThreatFire\TFService.exe
C:\Windows\system32\TODDSrv.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Kevin\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - c:\program files\pdfforge toolbar\WidgiToolbarIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - c:\program files\pdfforge toolbar\WidgiToolbarIE.dll
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [HWSetup] c:\program files\toshiba\utilities\HWSetup.exe hwSetUP
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 7.0\SCIEPlgn.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: live.com\login
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\kevin\appdata\roaming\mozilla\firefox\profiles\f23bquzn.default\
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - component: c:\program files\mozilla firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\photosynth\tech preview\nppsynth.dll
FF - plugin: c:\users\kevin\appdata\local\google\update\1.2.145.5\npGoogleOneClick8.dll

============= SERVICES / DRIVERS ===============

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-3-3 51472]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-3-3 39184]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-4-9 130080]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-4-9 28704]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2007-4-4 20760]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-1-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-6-12 108289]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2007-9-17 113128]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-3-3 33040]
S2 gupdate1c9ce7f77e66c80;Google Update Service (gupdate1c9ce7f77e66c80);c:\program files\google\update\GoogleUpdate.exe [2009-5-6 133104]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\system32\drivers\s125bus.sys [2007-4-24 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;c:\windows\system32\drivers\s125mdfl.sys [2007-4-24 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;c:\windows\system32\drivers\s125mdm.sys [2007-4-24 108680]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;c:\windows\system32\drivers\s125obex.sys [2007-4-24 98696]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]

=============== Created Last 30 ================

2009-06-18 19:03 191,184 a---h--- c:\windows\system32\mlfcache.dat
2009-06-12 00:24 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-06-12 00:24 <DIR> --d----- c:\programdata\Avira
2009-06-12 00:24 <DIR> --d----- c:\program files\Avira
2009-06-12 00:24 <DIR> --d----- c:\progra~2\Avira
2009-06-11 18:25 1,474,832 a------- c:\windows\system32\drivers\sfi.dat
2009-06-03 23:39 <DIR> --d----- c:\program files\EfficientDiary
2009-06-03 23:02 <DIR> --d----- c:\program files\My Journal
2009-05-28 00:52 <DIR> --d----- c:\program files\common files\xing shared

==================== Find3M ====================

2009-06-23 00:54 37,192,992 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-06-23 00:54 498,308 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-06-11 17:43 168,208 a------- c:\windows\system32\guard32.dll
2009-06-11 17:43 28,704 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-06-11 17:43 130,080 a------- c:\windows\system32\drivers\cmdguard.sys
2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-01 11:30 3,366,912 a------- c:\windows\system32\GPhotos.scr
2009-04-28 11:13 143,360 a------- c:\windows\inf\infstrng.dat
2009-04-28 11:13 86,016 a------- c:\windows\inf\infstor.dat
2009-04-28 11:13 51,200 a------- c:\windows\inf\infpub.dat
2009-03-18 04:13 174 a--sh--- c:\program files\desktop.ini
2009-03-17 22:55 665,600 a------- c:\windows\inf\drvindex.dat
2008-11-22 12:27 9,876,944 a------- c:\program files\WhiteCap_515.exe
2008-09-10 17:21 4,581,808 a------- c:\program files\OutlookConnector.exe
2008-08-09 09:03 4,891,216 a------- c:\program files\Silverlight.2.0.exe
2007-10-20 17:31 47,360 a------- c:\users\kevin\appdata\roaming\pcouffin.sys
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-09-01 04:22 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2007-09-01 04:22 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2007-09-01 04:22 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2006-05-03 03:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 04:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-03-16 06:30 216,064 ---shr-- c:\windows\system32\nbDX.dll
2008-03-12 08:04 112,218,656 a--sh--- c:\windows\system32\drivers\fidbox(199).dat

============= FINISH: 1:28:20.88 ===============

Attached Files



#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:01 PM

Posted 24 June 2009 - 08:25 AM

Hello.

I see that you are running more than one antivirus program. It is not recommended that you do so. In addition to wasting resources, the programs may detect virus signatures in the other and cause false positives. The different drivers used by the programs can cause crashes.

Please uninstall them until you are only running one antivirus using Add/Remove Programs.

All of the items detected in the Comodo log are from other security programs.

Take a new DDS.txt log after please.

With Regards,
The Panda

#6 yoyokev

yoyokev
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:01 AM

Posted 24 June 2009 - 01:49 PM

The Panda,

Thanks for the advice. So I uninstalled two AV programs I had running, and kept Comodo and Threatfire (is that okay?).

Below is my new .dds file:

Cheers,

Kevin


DDS (Ver_09-05-14.01) - NTFSx86
Run by Kevin at 11:39:24.54 on 24/06/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.2549.1584 [GMT -7:00]

AV: ThreatFire *On-access scanning enabled* (Updated) {67B2B9A1-25C8-4057-962D-807958FFC9E3}
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
SP: COMODO Defense+ *disabled* (Updated) {043803A4-4F86-4ef7-AFC5-F6E02A79969B}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: ThreatFire *enabled* (Updated) {79E34F8F-D0AD-48d6-9223-C657C6491F67}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\ThreatFire\TFService.exe
C:\Windows\system32\TODDSrv.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Kevin\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - c:\program files\pdfforge toolbar\WidgiToolbarIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - c:\program files\pdfforge toolbar\WidgiToolbarIE.dll
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [HWSetup] c:\program files\toshiba\utilities\HWSetup.exe hwSetUP
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
dRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: live.com\login
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\kevin\appdata\roaming\mozilla\firefox\profiles\f23bquzn.default\
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - component: c:\program files\mozilla firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\photosynth\tech preview\nppsynth.dll
FF - plugin: c:\users\kevin\appdata\local\google\update\1.2.145.5\npGoogleOneClick8.dll

============= SERVICES / DRIVERS ===============

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-3-3 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-3-3 46864]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-4-9 130080]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-4-9 28704]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-1-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2007-9-17 113128]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-3-3 33552]
S2 gupdate1c9ce7f77e66c80;Google Update Service (gupdate1c9ce7f77e66c80);c:\program files\google\update\GoogleUpdate.exe [2009-5-6 133104]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\system32\drivers\s125bus.sys [2007-4-24 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;c:\windows\system32\drivers\s125mdfl.sys [2007-4-24 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;c:\windows\system32\drivers\s125mdm.sys [2007-4-24 108680]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;c:\windows\system32\drivers\s125obex.sys [2007-4-24 98696]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]

=============== Created Last 30 ================

2009-06-24 11:34 153 a------- c:\windows\cavscan.INI
2009-06-23 15:14 130 a------- c:\windows\cfplogvw.INI
2009-06-23 14:17 <DIR> --d----- c:\programdata\HP Product Assistant
2009-06-23 14:08 117,760 a------- c:\windows\system32\hpzll5ha.dll
2009-06-23 14:04 140,987 a------- c:\windows\hpoins14.dat
2009-06-23 14:04 2,000 -------- c:\windows\hpomdl14.dat
2009-06-23 14:03 267,864 a------- c:\windows\system32\hpzids01.dll
2009-06-23 14:03 506,598 a------- c:\windows\system32\autorun.inf
2009-06-18 19:03 191,184 a---h--- c:\windows\system32\mlfcache.dat
2009-06-12 00:24 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-06-11 18:25 1,474,832 a------- c:\windows\system32\drivers\sfi.dat
2009-06-03 23:39 <DIR> --d----- c:\program files\EfficientDiary
2009-06-03 23:02 <DIR> --d----- c:\program files\My Journal
2009-05-28 00:52 <DIR> --d----- c:\program files\common files\xing shared

==================== Find3M ====================

2009-06-24 11:22 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-24 11:22 86,016 a------- c:\windows\inf\infstor.dat
2009-06-24 11:22 51,200 a------- c:\windows\inf\infpub.dat
2009-06-19 13:37 46,864 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-06-19 13:37 33,552 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-06-19 13:37 51,984 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-06-11 17:43 168,208 a------- c:\windows\system32\guard32.dll
2009-06-11 17:43 28,704 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-06-11 17:43 130,080 a------- c:\windows\system32\drivers\cmdguard.sys
2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-01 11:30 3,366,912 a------- c:\windows\system32\GPhotos.scr
2009-03-18 04:13 174 a--sh--- c:\program files\desktop.ini
2009-03-17 22:55 665,600 a------- c:\windows\inf\drvindex.dat
2008-11-22 12:27 9,876,944 a------- c:\program files\WhiteCap_515.exe
2008-09-10 17:21 4,581,808 a------- c:\program files\OutlookConnector.exe
2008-08-09 09:03 4,891,216 a------- c:\program files\Silverlight.2.0.exe
2007-10-20 17:31 47,360 a------- c:\users\kevin\appdata\roaming\pcouffin.sys
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-09-01 04:22 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2007-09-01 04:22 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2007-09-01 04:22 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2006-05-03 03:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 04:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-03-16 06:30 216,064 ---shr-- c:\windows\system32\nbDX.dll
2008-03-12 08:04 112,218,656 a--sh--- c:\windows\system32\drivers\fidbox(199).dat

============= FINISH: 11:41:31.32 ===============

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:01 PM

Posted 24 June 2009 - 02:57 PM

Hello.

Your logs look clean of malware. I think you were getting false positives from having too many antiviruses.

Submit File Sample
There are a couple files that I want to take a look at.
  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
    http://www.bleepingcomputer.com/forums/t/233024/infected-with-heurinvader-immune-against-kavmbamsasaviracomodo-is-a-squared-help-appreciated/
  • Under Browse to the file you want to submit, input:
    c:\windows\cavscan.INI
    c:\windows\cavscan.INI
    (Do these one at a time)
  • Under the comments section, say that Panda asked for the submission.
With Regards,
The Panda

#8 yoyokev

yoyokev
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:01 AM

Posted 24 June 2009 - 04:05 PM

The Panda,

I've submitted the file as requested. I'm also wondering, is it possible that when the malware is not 'activated', that the entry would not show up on the .dds file?

Thanks again for your help.

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:01 PM

Posted 24 June 2009 - 05:29 PM

Hello.

Is it possible that when the malware is not 'activated', that the entry would not show up on the .dds file?

Yes. DDS and other such tools look at loading points on the machine, not every single file.

So if you had an infected file that is just sitting somewhere, then it may not be seen.

Are you still getting those detections?

With Regards,
The Panda

#10 yoyokev

yoyokev
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:01 AM

Posted 24 June 2009 - 07:48 PM

Hello again,

The past couple days have been fine - the last time the malware activated itself was last Thursday while I was viewing clips on Youtube. I basically just had to force shutdown the computer by holding down onto the power button, as it was continously opening up several windows and wouldn't respond at all to ctrl+alt+del. After waiting a few hours, I simply just started it in safe mode, then after a few more restarts, it eventually was fine, although I did notice the computer initially running slower than usual.

Previously, the problem occurred most often when I was on MSN Messenger, and so subsequently I uninstalled that program and have been using MSN Web messenger since. I think I'll sit tight and wait a few more days (hopefully the mods will keep this thread open), and once the problem occurs again, I'll try to immediately run the DDS to see if anything abnormal shows up. Is that a good idea, or do you know if there's anything else I can be doing in the meantime?

Thanks.

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:01 PM

Posted 24 June 2009 - 08:51 PM

Hello.

Don't worry, we'll leave it open to keep an eye out for any changes.

With Regards,
The Panda

#12 yoyokev

yoyokev
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:01 AM

Posted 30 June 2009 - 03:43 PM

Hello again.

So I got attacked this morning, and I think I'm pinpointing the issue. It seems to have occured when I opened Web Messenger, and when my friends' accounts that have been infected and send me the spam instant messages, advertising weight loss, 'enhancements' etc. that it attacks my computer even though my AV and Firewalls are on:

Here is the DDS file:

DDS (Ver_09-06-26.01) - NTFSx86
Run by Kevin at 12:00:03.28 on 30/06/2009
Internet Explorer: 8.0.6001.18783 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.2.1033.18.2549.1494 [GMT -7:00]

AV: ThreatFire *On-access scanning enabled* (Updated) {67B2B9A1-25C8-4057-962D-807958FFC9E3}
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
SP: COMODO Defense+ *enabled* (Updated) {043803A4-4F86-4ef7-AFC5-F6E02A79969B}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: ThreatFire *enabled* (Updated) {79E34F8F-D0AD-48d6-9223-C657C6491F67}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\ThreatFire\TFService.exe
C:\Windows\system32\TODDSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Kevin\Desktop\dds.pif
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - c:\program files\pdfforge toolbar\WidgiToolbarIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - c:\program files\pdfforge toolbar\WidgiToolbarIE.dll
uRun: [Google Update] "c:\users\kevin\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [HWSetup] c:\program files\toshiba\utilities\HWSetup.exe hwSetUP
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
dRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: live.com\login
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\kevin\appdata\roaming\mozilla\firefox\profiles\f23bquzn.default\
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - component: c:\program files\mozilla firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\photosynth\tech preview\nppsynth.dll
FF - plugin: c:\users\kevin\appdata\local\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-3-3 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-3-3 46864]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-4-9 130080]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-4-9 28704]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-1-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2007-9-17 113128]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-3-3 33552]
S2 gupdate1c9ce7f77e66c80;Google Update Service (gupdate1c9ce7f77e66c80);c:\program files\google\update\GoogleUpdate.exe [2009-5-6 133104]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\system32\drivers\s125bus.sys [2007-4-24 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;c:\windows\system32\drivers\s125mdfl.sys [2007-4-24 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;c:\windows\system32\drivers\s125mdm.sys [2007-4-24 108680]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;c:\windows\system32\drivers\s125obex.sys [2007-4-24 98696]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]

=============== Created Last 30 ================

2009-06-26 14:50 719,872 a------- c:\windows\system32\devil.dll
2009-06-26 14:50 318,976 a------- c:\windows\system32\avisynth.dll
2009-06-24 17:56 2,033,152 a------- c:\windows\system32\win32k.sys
2009-06-24 17:53 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-06-24 11:34 153 a------- c:\windows\cavscan.INI
2009-06-23 15:14 130 a------- c:\windows\cfplogvw.INI
2009-06-23 14:17 <DIR> --d----- c:\programdata\HP Product Assistant
2009-06-23 14:08 117,760 a------- c:\windows\system32\hpzll5ha.dll
2009-06-23 14:04 140,987 a------- c:\windows\hpoins14.dat
2009-06-23 14:04 2,000 -------- c:\windows\hpomdl14.dat
2009-06-23 14:03 267,864 a------- c:\windows\system32\hpzids01.dll
2009-06-23 14:03 506,598 a------- c:\windows\system32\autorun.inf
2009-06-18 19:03 191,184 a---h--- c:\windows\system32\mlfcache.dat
2009-06-12 00:24 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-06-11 18:25 1,474,832 a------- c:\windows\system32\drivers\sfi.dat
2009-06-03 23:39 <DIR> --d----- c:\program files\EfficientDiary
2009-06-03 23:02 <DIR> --d----- c:\program files\My Journal

==================== Find3M ====================

2009-06-24 11:22 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-24 11:22 86,016 a------- c:\windows\inf\infstor.dat
2009-06-24 11:22 51,200 a------- c:\windows\inf\infpub.dat
2009-06-19 13:37 46,864 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-06-19 13:37 33,552 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-06-19 13:37 51,984 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-06-11 17:43 168,208 a------- c:\windows\system32\guard32.dll
2009-06-11 17:43 28,704 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-06-11 17:43 130,080 a------- c:\windows\system32\drivers\cmdguard.sys
2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-08 22:50 915,456 a------- c:\windows\system32\wininet.dll
2009-05-08 22:34 71,680 a------- c:\windows\system32\iesetup.dll
2009-05-01 11:30 3,366,912 a------- c:\windows\system32\GPhotos.scr
2009-04-30 05:37 293,376 a------- c:\windows\system32\psisdecd.dll
2009-04-30 05:37 428,544 a------- c:\windows\system32\EncDec.dll
2009-04-23 05:42 636,928 a------- c:\windows\system32\localspl.dll
2009-03-18 04:13 174 a--sh--- c:\program files\desktop.ini
2009-03-17 22:55 665,600 a------- c:\windows\inf\drvindex.dat
2008-11-22 12:27 9,876,944 a------- c:\program files\WhiteCap_515.exe
2008-09-10 17:21 4,581,808 a------- c:\program files\OutlookConnector.exe
2008-08-09 09:03 4,891,216 a------- c:\program files\Silverlight.2.0.exe
2007-10-20 17:31 47,360 a------- c:\users\kevin\appdata\roaming\pcouffin.sys
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-09-01 04:22 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2007-09-01 04:22 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2007-09-01 04:22 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2006-05-03 03:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 04:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-03-16 06:30 216,064 ---shr-- c:\windows\system32\nbDX.dll
2008-03-12 08:04 112,218,656 a--sh--- c:\windows\system32\drivers\fidbox(199).dat

============= FINISH: 12:00:59.33 ===============


I hope that helps, and thanks again for your help.

Cheers,

Kevin

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:01 PM

Posted 01 July 2009 - 08:47 AM

Hello Kevin.

It sounds like to me that your antivirus is stopping attempts at infection, rather than finding infections on your machine.

Please tell me which files are being flagged next time.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.

With Regards,
The Panda

#14 yoyokev

yoyokev
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:01 AM

Posted 05 July 2009 - 02:35 AM

Hello,

I did a scan using the KAV online scanner with all security settings turned off, and the results, unfortunately didn't flag any files at all (see below).

However, I did notice that the next time I restarted the computer, that it turned off all my windows vista aero settings, and all the toolbars now look like standard windows 2000/xp style, in addition, the computer changed all my media files from using VLC player as my default, to realplayer.

As previously stated, it seems I get attacked when running MSN messenger, but the weird thing is that the KAV scan didn't pick up on any rootkits, which I previously predicted are a common method of attack over MSN.

Thanks for your patience with these issues!

Cheers,

Kevin




"
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, July 2, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, July 02, 2009 18:08:15
Records in database: 2415233
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 147296
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 02:38:34

No malware has been detected. The scan area is clean.

The selected area was scanned.

"

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:01 PM

Posted 05 July 2009 - 08:37 AM

Hello.

Rootkits are not attacks, but malware already installed.

Please keep me updated. Try to see what entry KAV says is an infection.

Also take a new DDS.txt log.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users