Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost.exe malware infection


  • This topic is locked This topic is locked
12 replies to this topic

#1 Breyguhn

Breyguhn

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 11 January 2010 - 03:47 PM

Avast detects new malware C:\WINDOWS\TEMP\***.tmp every five minutes, name: svchost.exe (*** = random three or four letters). Computer runs fine except for occasional opening of new explorer window with game-sites. Oh yes and the "my document folder" opens automatically on startup.

How do I get rid of this? I have tried scanning with various freeware and detected/removed some suspect objects but the problem remains. I tried creating a RootRepeal Log but the program froze on startup ("Initializing, please wait...").

Can anyone help me??

EDIT: Couldn't wait for an answer but kept trying to solve the problem... Hitman Pro detected rootkit infection in atapi.sys but was not able to fix it. TDSSKiller.exe on the other hand seems to have done it! I no more get avast svchost.exe-warnings or browser redirects! Is it safe to relax?

DDS LOG:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Frida at 20:46:47,71 on 2010-01-11
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.46.1053.18.1023.417 [GMT 1:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: avast! antivirus 4.8.1368 [VPS 100111-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\StkASv2K.exe
C:\Program\Delade filer\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
D:\Program\ATB streaming audio rec\FLVSrvc.exe
C:\Program\Java\jre6\bin\jusched.exe
C:\Program\Net iD\iid.exe
C:\Program\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\DNA\btdna.exe
C:\Program\Spybot - Search & Destroy\TeaTimer.exe
C:\Program\Personal\bin\Personal.exe
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
D:\Program\Open Office\OpenOffice.org 3\program\soffice.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
D:\Program\Open Office\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\wuauclt.exe
C:\Program\Internet Explorer\iexplore.exe
D:\Nerladdat\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.se/
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,userinit.exe,
BHO: Länkhjälp till Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program\delade filer\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program\spybot - search & destroy\SDHelper.dll
BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - c:\program files\ws_ftp pro\wsbho2k0.dll
BHO: Windows Live inloggningshjälpen: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program\delade filer\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent DNA] "c:\program\dna\btdna.exe"
uRun: [SpybotSD TeaTimer] c:\program\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AsusStartupHelp] c:\program\asus\aasp\1.00.15\AsRunHelp.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [REGSHAVE] c:\program\regshave\REGSHAVE.EXE /AUTORUN
mRun: [Adobe Reader Speed Launcher] "c:\program\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Ask and Record FLV Service] "d:\program\atb streaming audio rec\FLVSrvc.exe" /run
mRun: [UVS10 Preload] d:\program\video studio\uvPL.exe
mRun: [SunJavaUpdateSched] "c:\program\java\jre6\bin\jusched.exe"
mRun: [Net iD] "c:\program\net id\iid.exe"
mRun: [avast!] c:\program\alwils~1\avast4\ashDisp.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\frida\start-~1\program\autost~1\openof~1.lnk - d:\program\open office\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1.win\start-~1\program\autost~1\personal.lnk - c:\program\personal\bin\Personal.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program\spybot - search & destroy\SDHelper.dll
Trusted Zone: forsakringskassan.se
DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {5BF56AD2-E297-416E-BC49-000005000031} - hxxps://cve.trust.telia.com/TeliaElegUpgrade/iidsetup.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.fujidirekt.se/aurigma/ImageUploader5.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxps://lagring.storegate.se/USER/Files/Cabs/ImageUploader4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2007-7-1 11264]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-1-6 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-6 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program\alwil software\avast4\ashServ.exe [2010-1-6 138680]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2007-5-23 547744]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;c:\windows\system32\drivers\atl01_xp.sys [2007-7-1 35712]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program\alwil software\avast4\ashMaiSv.exe [2010-1-6 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program\alwil software\avast4\ashWebSv.exe [2010-1-6 352920]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-11-7 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-11-7 3072]
S3 jgameenp;jgameenp;\??\c:\docume~1\frida\lokala~1\temp\jgameenp.sys --> c:\docume~1\frida\lokala~1\temp\jgameenp.sys [?]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-1-19 44928]

=============== Created Last 30 ================

2010-01-11 18:58:50 0 d-----w- c:\program\Spybot - Search & Destroy
2010-01-11 18:58:50 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2010-01-11 18:52:52 0 d-----w- c:\program\TrendMicro
2010-01-11 18:23:20 0 d-----w- c:\docume~1\frida\applic~1\Malwarebytes
2010-01-11 18:23:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-11 18:23:12 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-11 18:23:12 0 d-----w- c:\program\Malwarebytes' Anti-Malware
2010-01-11 18:23:12 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2010-01-11 18:07:08 0 d-sh--w- c:\documents and settings\frida\PrivacIE
2010-01-11 17:15:19 0 d-sh--w- c:\documents and settings\frida\IETldCache
2010-01-11 16:59:29 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-01-11 16:59:27 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-11 16:59:23 0 d-----w- c:\windows\ie8updates
2010-01-11 16:58:22 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-01-11 16:56:09 0 dc-h--w- c:\windows\ie8
2010-01-06 19:19:18 0 d-----w- c:\docume~1\frida\applic~1\AVG8
2010-01-03 20:24:29 0 d-----w- c:\program\Net iD
2010-01-02 09:48:35 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-28 19:25:39 0 d-----w- C:\spoolerlogs
2009-12-15 16:48:30 0 d-----w- c:\docume~1\frida\applic~1\OpenOffice.org
2009-12-15 16:11:14 73728 ----a-w- c:\windows\system32\javacpl.cpl

==================== Find3M ====================

2009-10-29 07:44:35 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-25 07:23:40 78942 ----a-w- c:\windows\system32\perfc01D.dat
2009-10-25 07:23:40 434860 ----a-w- c:\windows\system32\perfh01D.dat

============= FINISH: 20:48:20,78 ===============

Attached Files


Edited by Breyguhn, 12 January 2010 - 01:30 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:53 PM

Posted 16 January 2010 - 08:42 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 Breyguhn

Breyguhn
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 17 January 2010 - 03:27 AM

I'm here! I have done quite a few things after posting the DDS-log above (but I will stop now!) The problems I had seem to have gone away but I am not confident that my computer is ok. It would be good if you could somehow confirm that I really have gotten rid of the virus(es).

//Frida

Edited by Breyguhn, 17 January 2010 - 03:28 AM.


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:53 PM

Posted 17 January 2010 - 08:42 AM

Okay, if you've made some changes then please can you run an up-to-date scan from DDS and RoootRepeal.

Can you also give me a rundown of what you have tried to deal with the problem.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#5 Breyguhn

Breyguhn
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 17 January 2010 - 12:05 PM

Here's a new DDS log. RootRepeal still freezes on me while starting up ("Initializing, please wait...").

I run "Spybot - Search and destroy" and "Malwarebytes' Anti-Malware". I can't really remember which program found what but at least one of them found quite a few things that i deleted (but it didn't fix my main problem). I also run "Hitman Pro" as someone else that seemed to have the same problem as me recommended it. Hitman Pro detected a rootkit infection in atapi.sys but was not able to fix/delete it. Then I run TDSSskiller which also found this infection and managed to fix it(?). Avast no longer finds svchost.exe viruses every five minutes and i no longer get browser re-directs. The problem with "my documents" opening on start up I fixed by going into Run - Regedit - (...) - Winlogon folder and remove some text in "Userinit".

My computer seems ok right now, but i don't trust that all viruses are gone.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Frida at 17:47:05,78 on 2010-01-17
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.46.1053.18.1023.350 [GMT 1:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: avast! antivirus 4.8.1368 [VPS 100117-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\StkASv2K.exe
C:\Program\Delade filer\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
D:\Program\ATB streaming audio rec\FLVSrvc.exe
C:\Program\Java\jre6\bin\jusched.exe
C:\Program\Net iD\iid.exe
C:\Program\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\DNA\btdna.exe
C:\Program\Spybot - Search & Destroy\TeaTimer.exe
C:\Program\Personal\bin\Personal.exe
D:\Program\Open Office\OpenOffice.org 3\program\soffice.exe
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
D:\Program\Open Office\OpenOffice.org 3\program\soffice.bin
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program\Windows Live\Messenger\msnmsgr.exe
C:\Program\Windows Live\Contacts\wlcomm.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
D:\Nerladdat\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.se/
uInternet Settings,ProxyOverride = *.local
BHO: Länkhjälp till Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program\delade filer\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program\spybot - search & destroy\SDHelper.dll
BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - c:\program files\ws_ftp pro\wsbho2k0.dll
BHO: Windows Live inloggningshjälpen: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program\delade filer\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent DNA] "c:\program\dna\btdna.exe"
uRun: [SpybotSD TeaTimer] c:\program\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AsusStartupHelp] c:\program\asus\aasp\1.00.15\AsRunHelp.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [REGSHAVE] c:\program\regshave\REGSHAVE.EXE /AUTORUN
mRun: [Adobe Reader Speed Launcher] "c:\program\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Ask and Record FLV Service] "d:\program\atb streaming audio rec\FLVSrvc.exe" /run
mRun: [UVS10 Preload] d:\program\video studio\uvPL.exe
mRun: [SunJavaUpdateSched] "c:\program\java\jre6\bin\jusched.exe"
mRun: [Net iD] "c:\program\net id\iid.exe"
mRun: [avast!] c:\program\alwils~1\avast4\ashDisp.exe
mRun: [HitmanPro35] "c:\program\hitman pro 3.5\HitmanPro35.exe" /scan:boot
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\frida\start-~1\program\autost~1\openof~1.lnk - d:\program\open office\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1.win\start-~1\program\autost~1\personal.lnk - c:\program\personal\bin\Personal.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program\spybot - search & destroy\SDHelper.dll
Trusted Zone: forsakringskassan.se
DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {5BF56AD2-E297-416E-BC49-000005000031} - hxxps://cve.trust.telia.com/TeliaElegUpgrade/iidsetup.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.fujidirekt.se/aurigma/ImageUploader5.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxps://lagring.storegate.se/USER/Files/Cabs/ImageUploader4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2007-7-1 11264]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-1-6 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-6 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program\alwil software\avast4\ashServ.exe [2010-1-6 138680]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2007-5-23 547744]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;c:\windows\system32\drivers\atl01_xp.sys [2007-7-1 35712]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program\alwil software\avast4\ashMaiSv.exe [2010-1-6 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program\alwil software\avast4\ashWebSv.exe [2010-1-6 352920]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-11-7 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-11-7 3072]
S3 jgameenp;jgameenp;\??\c:\docume~1\frida\lokala~1\temp\jgameenp.sys --> c:\docume~1\frida\lokala~1\temp\jgameenp.sys [?]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-1-19 44928]

=============== Created Last 30 ================

2010-01-12 21:04:31 0 d-----w- c:\windows\pss
2010-01-12 18:24:49 0 d-sh--w- c:\documents and settings\frida\IECompatCache
2010-01-12 16:50:04 370 ----a-w- c:\windows\system32\.crusader
2010-01-12 16:50:03 95360 ----a-w- c:\windows\system32\drivers\atapi_restored.sys
2010-01-12 16:43:20 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-01-12 16:43:15 0 d-----w- c:\program\Hitman Pro 3.5
2010-01-12 16:43:15 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Hitman Pro
2010-01-12 16:36:38 0 d-----w- c:\docume~1\alluse~1.win\applic~1\SecTaskMan
2010-01-12 16:36:34 0 d-----w- c:\program\Security Task Manager
2010-01-11 18:58:50 0 d-----w- c:\program\Spybot - Search & Destroy
2010-01-11 18:58:50 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2010-01-11 18:52:52 0 d-----w- c:\program\TrendMicro
2010-01-11 18:23:20 0 d-----w- c:\docume~1\frida\applic~1\Malwarebytes
2010-01-11 18:23:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-11 18:23:12 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-11 18:23:12 0 d-----w- c:\program\Malwarebytes' Anti-Malware
2010-01-11 18:23:12 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2010-01-11 18:07:08 0 d-sh--w- c:\documents and settings\frida\PrivacIE
2010-01-11 17:15:19 0 d-sh--w- c:\documents and settings\frida\IETldCache
2010-01-11 16:59:29 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-01-11 16:59:27 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-11 16:59:23 0 d-----w- c:\windows\ie8updates
2010-01-11 16:58:22 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-01-11 16:56:09 0 dc-h--w- c:\windows\ie8
2010-01-06 19:19:18 0 d-----w- c:\docume~1\frida\applic~1\AVG8
2010-01-03 20:24:29 0 d-----w- c:\program\Net iD
2010-01-02 09:48:35 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-28 19:25:39 0 d-----w- C:\spoolerlogs

==================== Find3M ====================

2010-01-16 21:46:16 78942 ----a-w- c:\windows\system32\perfc01D.dat
2010-01-16 21:46:16 434860 ----a-w- c:\windows\system32\perfh01D.dat
2010-01-12 18:17:41 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-29 07:44:35 916480 ----a-w- c:\windows\system32\wininet.dll

============= FINISH: 17:47:55,12 ===============

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:53 PM

Posted 17 January 2010 - 12:20 PM

Have you still got the TDSSKiller log?
Posted Image
m0le is a proud member of UNITE

#7 Breyguhn

Breyguhn
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 17 January 2010 - 12:26 PM

yup, attaching it.

Attached Files



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:53 PM

Posted 17 January 2010 - 12:30 PM

Yep, that replaced the problem driver file.

Are you having any problems with the PC at the moment at all? Once the atapi.sys file has gone that's usually that.

Please run a quick scan on MBAM for me and post the log.


Posted Image
m0le is a proud member of UNITE

#9 Breyguhn

Breyguhn
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 17 January 2010 - 12:41 PM

Phew, sounds good. Here's the MBAM log. And no, I don't have any problems at the moment.

Attached Files


Edited by Breyguhn, 17 January 2010 - 12:42 PM.


#10 Breyguhn

Breyguhn
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 17 January 2010 - 12:44 PM

Ok, realised now the log is in swedish. But it basically says nothing found, so I seem OK. Can I relax? Do I need ten different programs to keep my computer safe or do you recommend any one in particular?

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:53 PM

Posted 17 January 2010 - 05:04 PM

a "0" is a "0" in any language tongue.gif

I think we can call this one a completed topic. As for recommendations I would suggest that you run one antivirus (I use Avast), one antispyware, the best option is Superantispyware which I use and also have MBAM on hand for quick checks. ESET is a good online scanner and it is useful to keep hold of DDS to do a scan if you need to for this site (or another).

To complete this I need you to do the following final steps. There is a great link at the end with a whole list of legitimate, recommended products - many of them free.


You're clean. Good stuff! thumbup2.gif

Let's do some clearing up

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it Breyguhn, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#12 Breyguhn

Breyguhn
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 18 January 2010 - 01:24 PM

Thank you!!!

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:53 PM

Posted 24 January 2010 - 07:19 PM

You are most welcome thumbup2.gif

----------------------------------------------------------

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users