Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

avsyncmac.exe, others and popups


  • This topic is locked This topic is locked
2 replies to this topic

#1 thinger62

thinger62

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:12 PM

Posted 19 December 2009 - 12:18 PM

I'm normally very careful with my pc's and am not sure how I got this. Upon startup today AVG reported asyncmac.exe was infected. I deleted it, but XP just regenerated it. I also started getting popups at the same time this morning, although not too often using Firefox. For some reason, my new install of Office 2007 seems to be buggy now too. This is my DDS report:


DDS (Ver_09-12-01.01) - NTFSx86
Run by admin at 11:03:03.34 on Sat 12/19/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2814.2191 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe" //eml:c:\documents and settings\admin\desktop\Fw_ FW_ Xmas greetings.eml
mWinlogon: Shell=Explorer.exe logon.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [NWEReboot]
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [hijawiduf] Rundll32.exe "c:\windows\system32\rikojine.dll",a
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: fezahoyu.dll c:\windows\system32\rikojine.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: pafabukuf - {02eff486-4e21-4a78-9141-77acceab309e} - c:\windows\system32\rikojine.dll
STS: tokatiluy: {02eff486-4e21-4a78-9141-77acceab309e} - c:\windows\system32\rikojine.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli sakalimo.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\vpag1907.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\documents and settings\admin\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-28 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-11-28 28424]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-28 285392]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-11-1 133104]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-10-23 1684736]
S3 etdrv;etdrv;c:\windows\etdrv.sys [2009-10-23 17488]

=============== Created Last 30 ================

2009-12-19 16:03:59 0 d-----w- c:\windows\pss
2009-12-19 15:55:30 34308 ----a-w- c:\windows\system32\logon.exe
2009-12-08 15:06:09 104512 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2009-12-05 15:04:50 7680 ----a-w- c:\windows\system32\CNMVS61.DLL
2009-12-05 15:04:50 116736 ----a-w- c:\windows\system32\CNMLM61.DLL
2009-12-05 15:04:48 86016 ----a-r- c:\windows\system32\CNMCP61.exe
2009-12-05 15:04:42 0 d--h--w- C:\BJPrinter
2009-12-05 15:02:40 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-12-05 15:02:40 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-12-02 23:05:32 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-12-02 23:02:46 0 d-----r- c:\program files\Skype
2009-12-02 23:00:48 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2009-12-02 23:00:48 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-11-28 18:31:53 0 d--h--w- C:\$AVG
2009-11-28 18:31:39 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-28 18:31:39 0 d-----w- c:\windows\system32\drivers\Avg
2009-11-28 18:31:36 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-28 18:31:32 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-11-28 13:03:07 0 d-----w- c:\docume~1\admin\applic~1\Hawkeye
2009-11-28 13:02:51 250544 ----a-w- c:\windows\system32\keyhelp.ocx
2009-11-28 13:02:50 0 d-----w- c:\program files\Comproware
2009-11-24 22:24:57 3249 ----a-w- c:\windows\system32\wbem\Outlook_01ca6d54f3e22026.mof
2009-11-22 16:17:57 27792 ----a-w- c:\windows\system32\drivers\point32.sys
2009-11-22 16:17:10 0 d-----w- c:\program files\Microsoft IntelliPoint
2009-11-22 16:16:16 0 d-----w- c:\program files\Microsoft IntelliType Pro
2009-11-20 23:59:18 0 d-----w- c:\program files\Windows Media Connect 2
2009-11-20 23:58:14 0 d-----w- C:\9645bf9c3d426089709c007b55b938
2009-11-20 23:58:11 0 d-----w- c:\windows\system32\LogFiles
2009-11-20 23:57:49 0 d-----w- C:\74a0738802f6cb23818cec0d6a

==================== Find3M ====================

2009-11-03 02:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 21:22:01 0 ----a-w- c:\program files\error.dat
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-24 04:07:41 17488 ----a-w- c:\windows\etdrv.sys
2009-10-24 04:07:31 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2009-10-24 04:07:24 17488 ----a-w- c:\windows\gdrv.sys
2009-10-24 03:22:27 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-09-28 18:20:43 89256 ----a-w- c:\windows\system32\ElbyCDIO.dll
2009-09-19 16:00:41 39424 --sha-w- c:\windows\system32\fawuruvo.dll
2009-09-19 15:55:14 52736 --sha-w- c:\windows\system32\fezahoyu.dll
2009-09-19 15:55:14 52736 --sha-w- c:\windows\system32\jobaruse.dll
2009-09-19 16:00:41 93184 --sha-w- c:\windows\system32\rikojine.dll
2009-09-19 15:55:14 52736 --sha-w- c:\windows\system32\sakalimo.dll

============= FINISH: 11:03:27.34 ===============


This is my rootrepeal report:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/19 11:07
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA828E000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5F2000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA49EB000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\$avg\$chjw\3b500f09-e895-4c8f-9030-d9f3d83ebc5e
Status: Size mismatch (API: 1597088, Raw: 1565528)

Path: c:\$avg\$chjw\5f29c143-4a3e-4af1-b8d0-ab65ca8e5cd2
Status: Size mismatch (API: 973760, Raw: 929180)

Path: C:\Documents and Settings\admin\Local Settings\Temp\plugtmp-4
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\admin\Local Settings\Temp\~DF6540.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\admin\Local Settings\Temp\~DF7132.tmp
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\admin\application data\mozilla\firefox\profiles\vpag1907.default\sessionstore.js
Status: Size mismatch (API: 13282, Raw: 13283)

==EOF==


attached is the 'attach' file.

I appreciate any advice or help, and thanks...

Attached Files



BC AdBot (Login to Remove)

 


#2 thinger62

thinger62
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:12 PM

Posted 20 December 2009 - 02:35 PM

Thanks anyway, but I reformatted/reinstalled this morning.

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:12 AM

Posted 25 December 2009 - 07:15 AM

Topic closed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users