Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection by AntiVirus Live 2009


  • This topic is locked This topic is locked
2 replies to this topic

#1 darwinlady

darwinlady

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:41 PM

Posted 02 January 2010 - 04:55 PM

Hello, thank you very much for your help in advance. My laptop has been repeatedly hijacked by Antivirus Live 2009 on many occasions over the past few weeks. I have tried to search online for recommended solutions and often have seemed to keep it at bay, but then it returns suddenly after several days. Multiple popup windows warning about the infections on my computer; small windows that say, "Security Warning- Application cannot be executed. The file (insert any number of file names) is infected. Do you want to activate your antivirus software now?" with a yes/no button. Then the typical Antivirus Live scan window opens automatically and starts scanning.

The popups are so numerous when the infection takes hold I cannot do anything else; all attempts at running any programs fail. The only thing that works (usually) is to reboot the computer, and quickly before everything boots up if I start running Malwarebytes scan it usually completes and the other popups stop. This time, however, the scan was clean but I'm still having the same problem. It seems to be the case that whatever I start doing quickly at boot before the popups start seems to work ok, and then I can simply move the popup windows out of my way and ignore them.

Regularly running this scan, along with Spybot and Adaware don't seem to prevent the problem from recurring. The other complication is, it is a laptop from work, and the "network" antivirus program preinstalled is obviously preset and I cannot modify any of the settings, although it doesn't appear to be helping me with this particular problem. I work for a pretty small outfit and our "network security" person is contracted out; if need be, I can solicit their help to disable these programs during diagnosis/cleaning. (anything in the attached logs with the name "Nazareth" is work-related.) I was hoping to avoid that cost if possible, obviously. I have posted the DDS log below and attached both the attach.txt and ark logs.


DDS (Ver_09-12-01.01) - NTFSx86
Run by plarson at 14:53:54.40 on Sat 01/02/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1316 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\plarson\Desktop\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.dell.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [cchxnqsi] c:\documents and settings\plarson\local settings\application data\yrplyl\rvpssysguard.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Dell Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking9\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\nuance\naturallyspeaking9\Ereg.ini
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [pdfFactory Dispatcher v2] c:\windows\system32\spool\drivers\w32x86\3\fppdis2a.exe
mRun: [cchxnqsi] c:\documents and settings\plarson\local settings\application data\yrplyl\rvpssysguard.exe
StartupFolder: c:\docume~1\plarson\startm~1\programs\startup\dragon~1.lnk - c:\program files\nuance\naturallyspeaking9\program\natspeak.exe
StartupFolder: c:\docume~1\plarson\startm~1\programs\startup\vzacce~1.lnk - c:\program files\verizon wireless\vzaccess manager\VZAccess Manager.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120155124468
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
Filter: text/html - {cd42f502-b5ef-4d5d-a7f8-ca8cd27fc20c} - c:\windows\default32.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\plarson\applic~1\mozilla\firefox\profiles\url0m40b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\plarson\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPOJI610.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-9 64288]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-2-15 26624]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1181328]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2008-9-22 106586]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2003-9-29 69706]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2005-12-12 9728]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-2-7 3712]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2005-6-14 80384]
S2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2003-9-29 237657]
S2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2008-9-22 6016]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2003-9-29 83008]
S3 NaiAvFilter101;NAI Anti Virus;\Device\NaiAvFilter101.sys --> \Device\NaiAvFilter101.sys [?]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [2009-7-28 29824]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [2009-7-28 41344]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [2009-7-28 39936]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [2009-7-28 59776]

=============== Created Last 30 ================

2010-01-02 19:40:53 0 d-----w- c:\windows\pss
2009-12-21 00:04:12 1010 ----a-w- C:\fpp2-NT.inf
2009-12-21 00:03:53 249856 ------w- c:\windows\system32\fppmon2.dll
2009-12-21 00:03:53 110592 ------w- c:\windows\system32\fppr232.dll
2009-12-09 19:35:38 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-09 18:09:39 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-09 18:06:42 0 d-----w- c:\program files\Lavasoft
2009-12-09 17:42:44 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-09 16:24:54 0 d-sh--w- c:\documents and settings\plarson\IECompatCache
2009-12-07 03:46:33 0 d-----w- c:\program files\Trend Micro
2009-12-07 02:48:13 0 d-----w- c:\docume~1\plarson\applic~1\Malwarebytes
2009-12-07 02:48:09 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-07 02:48:07 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-07 02:48:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-07 02:48:05 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-05 06:18:48 0 d-----w- c:\program files\Shared
2009-12-05 00:08:29 0 d-sh--w- c:\documents and settings\plarson\PrivacIE
2009-12-05 00:05:58 0 d-sh--w- c:\documents and settings\plarson\IETldCache
2009-12-05 00:02:51 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-12-05 00:01:18 0 d-----w- c:\windows\ie8updates
2009-12-04 23:59:56 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-12-04 23:59:55 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-04 23:56:52 0 dc-h--w- c:\windows\ie8

==================== Find3M ====================

2009-12-09 02:19:34 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:45:38 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2009-10-29 07:45:37 5940736 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-29 07:45:37 206848 ------w- c:\windows\system32\dllcache\occache.dll
2009-10-29 07:45:37 1208832 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-10-29 07:45:35 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-10-29 07:45:35 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-10-29 07:45:35 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2009-10-29 07:45:34 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-10-29 07:45:34 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
2009-10-29 07:45:33 11069952 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-10-29 07:45:32 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2009-10-07 02:59:57 17888 ---ha-w- c:\windows\system32\mlfcache.dat

============= FINISH: 14:56:13.56 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:41 AM

Posted 11 January 2010 - 12:21 AM

Hello,

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Untick the following boxes on the right side of the Gmer screen.
    Sections
    IAT/EAT
    Files
    Show All
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.



Then please post back here with the following:
  • log.txt
  • info.txt
  • Gmer log
Thanks

unite.jpg


#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:41 AM

Posted 16 January 2010 - 04:04 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users