Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bauer Mini Laptop - Infected


  • This topic is locked This topic is locked
2 replies to this topic

#1 Gruffbaby

Gruffbaby

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:58 AM

Posted 29 November 2009 - 06:38 AM

Right lets give you some back ground information on the problem then. My nieces Bauer mini laptop is infected with with some nasties. At present I can boot into XP & safe mode, but no antispyware or virus programs will run in either mode.

1. Malwarebytes will install but will not run - error failed to load
2. Spyware doctor will install but not run - error & countdown to restart
3. AVG free 9.0 only installed from a command prompt but will not initialise.

Tried several other programs all with the same issues. Also neither IE or safari will access the internet. The XP theme has reverted to the classic style also.

There are no windows services running & I am unable to start them, there are no svchost.exe running either. Also I can not access the user settings & cut, copy, past & drag & drop are not available so I am having to run & install programs off a usb stick.

Below I have attached three three reports as requested.


DDS (Ver_09-11-29.01) - NTFSx86
Run by Becky at 11:19:57.46 on 29/11/2009
Internet Explorer: 8.0.6001.18702

============== Running Processes ===============

C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\clipsrv.exe
F:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {5617ECA9-488D-4BA2-8562-9710B9AB78D2} - No File
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R? 02a14;02a14
R? 057E;057E
R? 0b87;0b87
R? 121A;121A
R? 23cF;23cF
R? 5474;5474
R? 5fc12;5fc12
R? 70dC;70dC
R? 79b13;79b13
R? 9afB;9afB
R? 9c06;9c06
R? 9c63;9c63
R? a772;a772
R? avg9emc;AVG Free E-mail Scanner
R? avg9wd;AVG Free WatchDog
R? d3210;d3210
R? e168;e168
R? gareth;gareth
R? MEMSWEEP2;MEMSWEEP2
R? RegGuard;RegGuard
R? RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader
R? RtsUIR;Realtek IR Driver
R? sdAuxService;PC Tools Auxiliary Service
R? sdCoreService;PC Tools Security Service
R? vsmon;TrueVector Internet Monitor
S? AvgLdx86;AVG Free AVI Loader Driver x86
S? AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86
S? AvgTdiX;AVG Free Network Redirector
S? IKFileSec;File Security Driver
S? IKSysFlt;System Filter Driver
S? IKSysSec;System Security Driver
S? RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter
S? vsdatant;vsdatant

============== File Associations ===============

regfile=regedit.exe /s "%1"
regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-11-28 21:25:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Arovax
2009-11-28 20:53:25 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2009-11-28 20:42:15 2 --shatr- c:\windows\winstart.bat
2009-11-28 11:05:15 0 d-----w- c:\program files\Trend Micro
2009-11-27 11:52:05 98816 ----a-w- c:\windows\sed.exe
2009-11-27 11:52:05 77312 ----a-w- c:\windows\MBR.exe
2009-11-27 11:52:05 260608 ----a-w- c:\windows\PEV.exe
2009-11-27 11:52:05 161792 ----a-w- c:\windows\SWREG.exe
2009-11-27 11:27:41 0 d-----w- C:\$AVG
2009-11-27 11:27:28 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-27 11:27:23 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-27 11:27:13 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-27 11:27:06 0 d-----w- c:\windows\system32\drivers\Avg
2009-11-27 11:27:04 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-11-27 11:26:49 0 d-----w- c:\program files\AVG
2009-11-27 11:26:49 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-11-27 09:34:01 0 d-----w- c:\docume~1\becky\applic~1\IObit
2009-11-27 09:34:00 0 d-----w- c:\program files\IObit
2009-11-26 23:29:53 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-11-26 23:29:14 1221008 ----a-w- c:\windows\system32\zpeng25.dll
2009-11-26 23:29:14 0 d-----w- c:\windows\system32\ZoneLabs
2009-11-26 23:29:14 0 d-----w- c:\program files\Zone Labs
2009-11-26 23:29:11 348371 ----a-w- c:\windows\system32\vsconfig.xml
2009-11-26 23:27:10 0 d-----w- c:\windows\Internet Logs
2009-11-26 23:23:26 41288 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
2009-11-26 23:23:26 29000 ----a-w- c:\windows\system32\drivers\kcom.sys
2009-11-26 23:23:25 79688 ----a-w- c:\windows\system32\drivers\iksyssec.sys
2009-11-26 23:23:25 62280 ----a-w- c:\windows\system32\drivers\iksysflt.sys
2009-11-26 23:23:09 0 d-----w- c:\program files\Spyware Doctor
2009-11-26 23:23:09 0 d-----w- c:\docume~1\becky\applic~1\PC Tools
2009-11-26 22:28:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 22:28:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-26 22:28:20 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 22:28:20 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-26 22:05:57 34816 ----a-w- c:\windows\system32\drivers\gareth.sys
2009-11-26 21:46:30 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-11-26 21:18:54 626688 ----a-w- c:\windows\system32\msvcr80.dll
2009-11-26 21:15:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-11-26 21:02:55 5966 ----a-w- c:\windows\system32\acpimof.Dll
2009-11-26 20:50:39 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-26 20:32:44 0 d-----w- c:\program files\common files\PC Tools
2009-11-26 20:30:03 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2009-11-26 20:30:03 115920 ----a-w- c:\windows\system32\MSINET.OCX
2009-11-26 20:30:03 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2009-11-26 20:30:02 0 d-----w- c:\program files\SpywareBlaster
2009-11-26 20:25:44 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-26 19:36:23 0 d-----w- c:\program files\CCleaner
2009-11-26 19:07:29 0 d-----w- c:\windows\pss
2009-11-21 22:56:55 0 d-----w- c:\program files\iPod
2009-11-21 22:56:50 0 d-----w- c:\program files\iTunes
2009-11-10 23:08:24 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2009-11-10 23:08:24 69632 ----a-w- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll

============= FINISH: 11:20:26.37 ===============


==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
Adobe Shockwave Player 11.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVG Free 9.0
Bonjour
CCleaner (remove only)
Choice Guard
HijackThis 2.0.2
Intel® Graphics Media Accelerator Driver
iTunes
Java™ 6 Update 11
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Application Error Reporting
MobileMe Control Panel
MSN
MSVCRT
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
REALTEK RTL8187 Wireless LAN Driver
Safari
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Segoe UI
SoftWareCenter V1.05
Spyware Doctor 5.1
SpywareBlaster 4.0
Synaptics Pointing Device Driver
System Search Dispatcher
Update for Windows Internet Explorer 8 (KB976749)
USB2.0 Card Reader Software
WebFldrs XP
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
ZoneAlarm

==== End Of File ===========================


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/29 11:26
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8A74000 Size: 49152 File Visible: No Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xF72FA000 Size: 81920 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa90a26e0

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa90af490

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xa93326dc

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xa9332c9c

#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa90a2c70

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa90afd10

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa90afac0

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa90b0230

#: 099 Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa90b02b0

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa90a2ad0

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa90b0970

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa90b03d0

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa90b07c0

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa90a2ea0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xa90af800

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xa9331c5c

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\iksysflt.sys" at address 0xa9331374

==EOF==

BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:58 AM

Posted 10 December 2009 - 10:34 AM

Hi,

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.


We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
Then please post back here with the following logs:
  • OTListIt.txt
  • Extra.txt
Thanks

unite.jpg


#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:02:58 AM

Posted 15 December 2009 - 11:31 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users