Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Win32:Malware-gen, Win32:Rootkit-gen, and Win32:Spyware-gen


  • This topic is locked This topic is locked
2 replies to this topic

#1 jimbywonga

jimbywonga

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:28 AM

Posted 27 December 2009 - 07:06 PM

Firefox and Mostly IE is experiencing redirects when I search through any search engine. Avast is continuously stopping malware in the Windows\Temp folder.

DDS (Ver_09-12-01.01) - NTFSx86
Run by Ricardo at 15:09:36.31 on Sun 12/27/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2184 [GMT -8:00]

AV: avast! antivirus 4.8.1368 [VPS 091227-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Evernote\Evernote3\Evernote.exe
C:\Program Files\Evernote\Evernote3\EvernoteTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Ricardo\LOCALS~1\Temp\RoboForm\RoboTaskBarIcon.exe
C:\Documents and Settings\Ricardo\My Documents\= Software =\- Tech Tools -\Anti Malware\HiJackThis.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Documents and Settings\Ricardo\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [CTHelper] CTHELPER.EXE
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanlu.exe" /r
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEE1} - c:\program files\evernote\evernote3\enbar.dll
Trusted Zone: netflix.com\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15108/CTPID.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ricardo\applic~1\mozilla\firefox\profiles\h2u4mn3q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\ricardo\application data\mozilla\firefox\profiles\h2u4mn3q.default\extensions\{22119944-ed35-4ab1-910b-e619ea06a115}\components\rfproxy_31.dll
FF - component: c:\documents and settings\ricardo\application data\mozilla\firefox\profiles\h2u4mn3q.default\extensions\twitternotifier@naan.net\components\nsTwitterFoxSign.dll
FF - plugin: c:\documents and settings\ricardo\application data\mozilla\firefox\profiles\h2u4mn3q.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\ricardo\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\ricardo\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-12-12 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-2-17 9968]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-12-12 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-12-12 138680]
R2 CAMTHWDM;WebcamMax, WDM Video Capture;c:\windows\system32\drivers\CAMTHWDM.sys [2009-1-25 941784]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-1-23 47640]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-12-12 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-12-12 352920]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2009-6-4 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2009-6-4 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2009-6-4 72728]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [2008-7-24 12192]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2009-9-30 116736]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\ricardo\locals~1\temp\sas_selfextract\saskutil.sys --> c:\docume~1\ricardo\locals~1\temp\sas_selfextract\SASKUTIL.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-12 133104]
S2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2009-2-27 6016]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-6-27 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2009-6-4 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2009-6-4 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2009-6-4 72728]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-12-13 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-12-13 3072]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\manycam.sys --> c:\windows\system32\drivers\ManyCam.sys [?]
S3 NUVision;NUVision II Video Service;c:\windows\system32\drivers\nuvvid2.sys [2009-1-23 153760]
S3 SASENUM;SASENUM;\??\c:\docume~1\ricardo\locals~1\temp\sas_selfextract\sasenum.sys --> c:\docume~1\ricardo\locals~1\temp\sas_selfextract\SASENUM.SYS [?]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2008-1-25 25088]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-7-5 79888]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\vboxnetflt.sys --> c:\windows\system32\drivers\VBoxNetFlt.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-12-27 21:32:35 0 d-----w- c:\windows\ERUNT
2009-12-27 21:25:48 0 d-----w- C:\SDFix
2009-12-27 18:14:14 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-27 18:06:12 0 d-sh--w- c:\docume~1\ricardo\applic~1\.#
2009-12-26 19:15:42 3554 ----a-w- c:\windows\system32\tmp.reg
2009-12-26 18:32:15 0 d-----w- c:\program files\SpywareBlaster
2009-12-26 08:49:39 0 d-sha-r- C:\cmdcons
2009-12-26 08:46:40 98816 ----a-w- c:\windows\sed.exe
2009-12-26 08:46:40 77312 ----a-w- c:\windows\MBR.exe
2009-12-26 08:46:40 261632 ----a-w- c:\windows\PEV.exe
2009-12-26 08:46:40 161792 ----a-w- c:\windows\SWREG.exe
2009-12-26 08:41:37 389120 ----a-w- c:\windows\system32\CF19689.exe
2009-12-24 19:59:41 0 d-----w- c:\docume~1\ricardo\applic~1\GlarySoft
2009-12-24 19:36:59 0 d-----w- c:\program files\Glary Utilities
2009-12-21 07:21:15 0 d-----w- c:\docume~1\ricardo\applic~1\Command & Conquer 3 Tiberium Wars
2009-12-21 07:05:13 108144 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-12-21 06:57:31 98304 ----a-w- c:\windows\system32CmdLineExt.dll
2009-12-21 06:37:04 334792 ----a-w- c:\windows\system32\_AxShlEx.dll
2009-12-21 06:36:35 0 d-----w- c:\program files\Alcohol Soft
2009-12-21 06:28:57 716272 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-21 01:35:12 1096 ----a-w- c:\windows\boobbutton.bmp
2009-12-21 01:20:15 1033728 ----a-w- c:\windows\explorer.bak
2009-12-20 21:46:02 3 ----a-w- c:\windows\system32\msqctp.ini
2009-12-20 21:46:02 0 d-----w- c:\docume~1\ricardo\applic~1\Fronoh
2009-12-20 21:45:58 2912256 ----a-w- c:\windows\system32\MediaInfo.dll
2009-12-20 21:45:58 0 d-----w- c:\program files\MP3 & MPEG Joiner
2009-12-20 20:22:46 0 d-----w- c:\docume~1\ricardo\applic~1\Sedna Wireless
2009-12-20 20:22:29 0 d-----w- c:\program files\Call Graph
2009-12-20 20:22:29 0 d-----w- c:\docume~1\ricardo\applic~1\Call Graph
2009-12-20 18:38:33 0 d-----r- C:\Sandbox
2009-12-20 18:36:53 1464 ----a-w- c:\windows\Sandboxie.ini
2009-12-20 18:36:18 0 d-----w- c:\program files\Sandboxie
2009-12-18 21:02:02 0 d-----w- c:\program files\WinDirStat
2009-12-16 04:55:54 540000 ----a-w- c:\windows\system32\drivers\timntr.sys
2009-12-07 02:43:13 0 d-----w- c:\program files\common files\supportsoft
2009-12-07 02:35:11 0 d-----w- c:\program files\Intuit
2009-12-07 02:29:42 90 ----a-w- c:\windows\QBChanUtil_Trigger.ini
2009-12-07 02:29:42 0 d-----w- c:\docume~1\alluse~1\applic~1\SQL Anywhere 10
2009-12-07 02:29:36 0 d-----w- c:\docume~1\alluse~1\applic~1\COMMON FILES
2009-12-01 18:05:31 3247 ----a-w- c:\windows\system32\wbem\Outlook_01ca72b0deccba50.mof

==================== Find3M ====================

2009-12-26 09:35:42 45568 ----a-w- c:\windows\system32\drivers\SiSRaid.sys
2009-12-23 07:17:20 971552 ----a-w- c:\windows\system32\drivers\tdrpm174.sys
2009-12-23 07:17:13 44704 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2009-12-04 00:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-04 00:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-23 06:32:33 37004 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-14 00:47:28 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47:28 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47:28 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47:28 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47:28 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47:28 696320 ----a-w- c:\windows\system32\DivX.dll
2009-11-03 03:29:16 1984 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-29 07:46:59 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ------w- c:\windows\system32\corpol.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-19 02:22:08 189392 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 12:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-02 00:42:49 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2009-10-02 00:42:48 87352 ----a-w- c:\windows\system32\LMIinit.dll
2009-10-02 00:42:48 28984 ----a-w- c:\windows\system32\LMIport.dll

============= FINISH: 15:11:16.54 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 jimbywonga

jimbywonga
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:28 AM

Posted 01 January 2010 - 04:10 AM

Please close this post. I'm reformatting and reinstalling an Acronis Image prior to the infection. Thanks anyway.

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:28 PM

Posted 01 January 2010 - 08:45 AM

Topic closed upon members request.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users