Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Total Antivirus 2009 and other infections


  • This topic is locked This topic is locked
2 replies to this topic

#1 Akthalian

Akthalian

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jacksonville, FL
  • Local time:03:54 AM

Posted 26 September 2009 - 05:48 PM

I work in PC repair and I just took in a customer's toshiba laptop for a virus removal service. A few important things to note:

1. 64 bit OS, so rootrepeal would not run.
2. When I first attempted to boot into windows, the machine took the better part of 30 minutes to get into the desktop. After it DID finally get to windows, windows explorer kept freezing and restarting, and after an additional 10 minutes of program errors and such, the laptop finally settled down to let me run a few programs.
3. I ran malwarebytes in safe mode (since initially I didn't have the patience to wait for the machine to boot to windows normally) and removed a couple infections, probably about 10, but none of them were Total Anti Virus.
4. Now I finally disabled all non microsoft services and startup items, and the machine booted normally in normal mode. However, total antivirus was still present etc. I killed the process and deleted the folder on the C: drive, which then allowed me to run MWB in normal mode (virus kept killing it when a scan was launched) however, both it and spybot search and destroy found nothing. GMER also yieled no results.

At this point im not totally convinced everything is gone, so I'll be posting the DDS log I was able to get.


DDS (Ver_09-09-24.01) - NTFSx86
Run by Joshua at 18:35:37.03 on Sat 09/26/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3963.2440 [GMT -4:00]

AV: CA Anti-Virus Plus *On-access scanning enabled* (Outdated) {6B98D35F-BB76-41C0-876B-A50645ED099A}
AV: Trend Micro AntiVirus *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: CA Anti-Virus Plus *enabled* (Outdated) {6B98D35F-BB76-41C0-876B-A50645ED099A}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
E:\Virus Removal Tools\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.foxnews.com/
uDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~2\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: IMBooster4web-en Toolbar: {346de098-61f9-4b42-89da-6dfba7091bb6} - c:\program files (x86)\imbooster4web-en\tbIMBo.dll
mURLSearchHooks: IMBooster4web-en Toolbar: {346de098-61f9-4b42-89da-6dfba7091bb6} - c:\program files (x86)\imbooster4web-en\tbIMBo.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~2\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: IMBooster4web-en Toolbar: {346de098-61f9-4b42-89da-6dfba7091bb6} - c:\program files (x86)\imbooster4web-en\tbIMBo.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - Symantec Intrusion Prevention
BHO: UrlHelper Class: {74322bf9-df26-493f-b0da-6d2fc5e6429e} - c:\program files (x86)\bearshare applications\bearshare\BearShareIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files (x86)\java\jre1.6.0_06\bin\ssv.dll
BHO: Iminent.BHO.NavigationError: {84ff7bd6-b47f-46f8-9130-01b2696b36cb} - c:\program files (x86)\iminent\searchtheweb\Iminent.BHO.NavigationError.dll
BHO: LinkToContent Class: {a6e9baaf-53cd-4575-967b-2af710a7d21f} - c:\program files (x86)\iminent\imbooster\Iminent.LinkToContent.dll
BHO: BandooIEPlugin Class: {eb5cee80-030a-4ed8-8e20-454e9c68380f} - c:\program files (x86)\bandoo\plugins\ie\ieplugin.dll
BHO: CA Toolbar Helper: {fbf2401b-7447-4727-be5d-c19b2075ca84} - c:\program files\ca\ca internet security suite\ca website inspector\x86\toolbar\CallingIDIE.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~2\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: CA Toolbar: {10134636-e7af-4ac5-a1dc-c7c44bb97d81} - c:\program files\ca\ca internet security suite\ca website inspector\x86\toolbar\CallingIDIE.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~2\yahoo!\companion\installs\cpn\yt.dll
TB: BearShare MediaBar: {d3dee18f-db64-4beb-9ff1-e1f0a5033e4a} - c:\program files (x86)\bearshare applications\bearshare mediabar\BearShareMediaBar.dll
TB: IMBooster4web-en Toolbar: {346de098-61f9-4b42-89da-6dfba7091bb6} - c:\program files (x86)\imbooster4web-en\tbIMBo.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~2\micros~2\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files (x86)\java\jre1.6.0_06\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~2\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\VetRedir.dll
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files (x86)\common files\pure networks shared\platform\puresp3.dll
Notify: PFW - UmxWnp.Dll
AppInit_DLLs: c:\progra~2\bandoo\bndhook.dll
SEH: ShellHook Class: {1869181a-9f50-4fcf-8bff-1b8588ecb85c} - c:\program files\ca\ca internet security suite\ca website inspector\x86\linkadvisor\CIDLinkAdvisor.dll

============= SERVICES / DRIVERS ===============

R0 KmxAMRT;KmxAMRT;c:\windows\system32\drivers\kmxamrt.sys --> c:\windows\system32\drivers\KmxAMRT.sys [?]
R0 tos_sps64;TOSHIBA tos_sps64 Service;c:\windows\system32\drivers\tos_sps64.sys --> c:\windows\system32\drivers\tos_sps64.sys [?]
R1 JSWPSLWF;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwfx.sys --> c:\windows\system32\drivers\jswpslwfx.sys [?]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\kmxagent.sys --> c:\windows\system32\drivers\kmxagent.sys [?]
R1 KmxCfg;KmxCfg;c:\windows\system32\drivers\kmxcfg.sys --> c:\windows\system32\drivers\kmxcfg.sys [?]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys --> c:\windows\system32\drivers\tmpreflt.sys [?]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\fwlnk.sys --> c:\windows\system32\drivers\FwLnk.sys [?]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe [2009-5-19 93184]
S3 PerfHost;Performance Counter DLL Host;c:\windows\syswow64\perfhost.exe [2008-1-20 19968]
S4 atashost;WebEx Service Host for Support Center;c:\windows\syswow64\atashost.exe [2009-6-1 20376]
S4 Bandoo Coordinator;Bandoo Coordinator;c:\progra~2\bandoo\Bandoo.exe [2009-9-21 1516480]
S4 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\ca\ca internet security suite\ccschedulersvc.exe [2009-5-19 159472]
S4 ConfigFree Gadget Service;ConfigFree Gadget Service;c:\program files (x86)\toshiba\configfree\CFProcSRVC.exe [2008-6-27 36864]
S4 ConfigFree Service;ConfigFree Service;c:\program files (x86)\toshiba\configfree\CFSvcs.exe [2008-7-10 40960]
S4 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files (x86)\jumpstart\jswpsapi.exe [2009-1-4 954368]
S4 KR10I64;KR10I64;c:\windows\system32\drivers\kr10i64.sys --> c:\windows\system32\drivers\kr10i64.sys [?]
S4 KR10N64;KR10N64;c:\windows\system32\drivers\kr10n64.sys --> c:\windows\system32\drivers\kr10n64.sys [?]
S4 LinksysUpdater;Linksys Updater;c:\program files (x86)\linksys\linksys updater\bin\LinksysUpdater.exe [2008-4-18 204800]
S4 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\toshiba\smartfacev\SmartFaceVWatchSrv.exe [2008-4-24 84992]
S4 TMachInfo;TMachInfo;c:\program files (x86)\toshiba\toshiba service station\TMachInfo.exe [2008-8-14 46392]
S4 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-9-26 854280]
S4 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 175104]
S4 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2008-12-12 2145272]
S4 UmxCfg;HIPS Configuration Interpreter;c:\program files (x86)\ca\sharedcomponents\hipsengine\UmxCfg.exe [2008-12-10 797176]
S4 UmxPol;HIPS Policy Manager;c:\program files (x86)\ca\sharedcomponents\hipsengine\UmxPol.exe [2008-12-19 297464]

=============== Created Last 30 ================

2009-09-26 15:00 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-09-26 15:00 <DIR> --d----- c:\program files (x86)\Spybot Search & Destroy(2)
2009-09-26 15:00 <DIR> --d----- c:\progra~3\Spybot - Search & Destroy
2009-09-26 14:59 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-26 14:59 <DIR> --d----- c:\program files (x86)\Malwarebytes' Anti-Malware
2009-09-26 12:37 <DIR> --d----- c:\programdata\Trend Micro
2009-09-26 12:37 <DIR> --d----- c:\progra~3\Trend Micro
2009-09-25 12:33 <DIR> --d----- c:\program files (x86)\common files\TSUninstall
2009-09-21 09:15 <DIR> --d----- c:\users\joshua\appdata\roaming\Bandoo
2009-09-21 09:14 <DIR> --d----- c:\programdata\Bandoo
2009-09-21 09:14 <DIR> --d----- c:\progra~3\Bandoo
2009-09-21 09:14 <DIR> --d----- c:\program files (x86)\Bandoo
2009-09-09 22:51 <DIR> --d----- c:\programdata\Hewlett-Packard
2009-09-09 22:36 <DIR> --d----- c:\windows\carrier
2009-09-09 22:36 <DIR> --d----- c:\program files (x86)\HP
2009-09-09 22:22 <DIR> --d----- c:\programdata\HP
2009-09-08 22:08 104,960 a------- c:\windows\system32\netiohlp.dll
2009-09-08 22:08 27,136 a------- c:\windows\system32\NETSTAT.EXE
2009-09-08 22:08 19,968 a------- c:\windows\system32\ARP.EXE
2009-09-08 22:08 17,920 a------- c:\windows\system32\ROUTE.EXE
2009-09-08 22:08 11,264 a------- c:\windows\system32\MRINFO.EXE
2009-09-08 22:08 10,240 a------- c:\windows\system32\finger.exe
2009-09-08 22:08 9,728 a------- c:\windows\system32\TCPSVCS.EXE
2009-09-08 22:08 8,704 a------- c:\windows\system32\HOSTNAME.EXE
2009-09-08 22:08 17,920 a------- c:\windows\system32\netevent.dll
2009-09-08 22:08 2,868,224 a------- c:\windows\system32\mf.dll
2009-09-08 22:07 293,376 a------- c:\windows\system32\wlanmsm.dll
2009-09-08 22:07 127,488 a------- c:\windows\system32\L2SecHC.dll
2009-09-08 22:07 302,592 a------- c:\windows\system32\wlansec.dll
2009-09-03 16:48 <DIR> --d-h--- c:\programdata\{043AF2C6-8F13-4D97-B13C-0ECF538281D9}
2009-09-03 16:48 <DIR> --d-h--- c:\progra~3\{043AF2C6-8F13-4D97-B13C-0ECF538281D9}
2009-09-03 16:47 <DIR> --d----- c:\programdata\Iminent
2009-09-03 16:47 <DIR> --d----- c:\progra~3\Iminent
2009-09-03 16:47 <DIR> --d----- c:\program files (x86)\Iminent
2009-09-03 16:47 <DIR> --d-h--- c:\programdata\{567066F5-4167-42EB-91E3-FC7889D390C7}
2009-09-03 16:47 <DIR> --d-h--- c:\progra~3\{567066F5-4167-42EB-91E3-FC7889D390C7}
2009-09-03 16:43 <DIR> --d----- c:\program files (x86)\IMBooster4web-en
2009-09-02 18:42 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-09-02 18:42 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-09-01 03:00 2,048 a------- c:\windows\system32\tzres.dll
2009-08-31 22:09 499,712 a------- c:\windows\system32\kerberos.dll
2009-08-31 22:09 213,504 a------- c:\windows\system32\msv1_0.dll
2009-08-31 22:09 175,104 a------- c:\windows\system32\wdigest.dll
2009-08-31 22:09 270,848 a------- c:\windows\system32\schannel.dll
2009-08-31 22:09 76,800 a------- c:\windows\system32\secur32.dll

==================== Find3M ====================

2009-09-26 18:13 143,360 a------- c:\windows\inf\infstrng.dat
2009-09-26 18:13 51,200 a------- c:\windows\inf\infpub.dat
2009-09-26 12:38 86,016 a------- c:\windows\inf\infstor.dat
2009-08-28 08:50 331,776 a------- c:\windows\apppatch\apppatch64\AcLayers.dll
2009-08-28 08:50 281,600 a------- c:\windows\apppatch\apppatch64\AcGenral.dll
2009-08-28 08:50 100,352 a------- c:\windows\apppatch\apppatch64\acspecfc.dll
2009-08-28 08:39 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-08-28 08:38 2,153,984 a------- c:\windows\apppatch\AcGenral.dll
2009-08-28 08:38 541,696 a------- c:\windows\apppatch\AcLayers.dll
2009-08-28 08:38 459,776 a------- c:\windows\apppatch\AcSpecfc.dll
2009-07-18 12:06 827,904 a------- c:\windows\system32\wininet.dll
2009-07-18 12:01 78,336 a------- c:\windows\system32\ieencode.dll
2009-07-18 05:46 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-07-17 10:35 71,680 a------- c:\windows\system32\atl.dll
2009-07-14 09:00 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-07-14 08:59 4,096 a------- c:\windows\system32\dxmasf.dll
2009-07-14 08:58 7,680 a------- c:\windows\system32\spwmp.dll
2009-07-14 06:59 8,147,456 a------- c:\windows\system32\wmploc.DLL
2008-08-14 16:09 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 23:21 174 a--sh--- c:\program files (x86)\desktop.ini
2006-11-02 11:14 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 11:14 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 11:14 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 11:14 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 06:52 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 06:52 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 06:52 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 06:52 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-05-19 01:46 16,384 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-05-19 01:46 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-05-19 01:46 16,384 a--sh--- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 18:35:55.57 ===============

Thanks in advance!

Attached Files


A+ Certified Support Technician

BC AdBot (Login to Remove)

 


#2 Akthalian

Akthalian
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jacksonville, FL
  • Local time:03:54 AM

Posted 27 September 2009 - 11:42 AM

I have succesfully resolved my issue. Further updates, repeat scanning and a bit of searching yielded results.
A+ Certified Support Technician

#3 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 28 September 2009 - 05:10 PM

Thank you for letting us know Akthalian. :(




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users