Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

unknown virus... will not remove...


  • This topic is locked This topic is locked
3 replies to this topic

#1 BSW

BSW

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 19 January 2010 - 03:11 PM

Background:

Removed several infections with this computer using MBAM and then AVAST. Previous to that computer had only an old Norton for protection.

Everything seemed clean then hours later Avast started warning about a file named: C:\WINDOWS\system32\drivers\cnxvu.sys

File will note delete, MBAM tries to delete on reboot but it just comes back.

Other symptoms:

Other viruses start to show up on MBAM scan if computer left connected to internet.

Cannot surf with computer to google. Search results from yahoo.ca are redirected to fake sites.

Any help to finish cleaning this computer would be appreciated. Thanks!


DDS (Ver_09-12-01.01) - NTFSx86
Run by Reception at 14:53:05.07 on 19/01/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.186 [GMT -5:00]

AV: avast! antivirus 4.8.1368 [VPS 100119-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\Program Files\TOSHIBA\TOSHIBA e-STUDIO Client\TOSHIBA e-BRIDGE Viewer\eBVServ.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\TOSHIBA\TOSHIBA e-STUDIO Client\GLDocMon.exe
C:\Program Files\TOSHIBA\TOSHIBA e-STUDIO Client\TOSHIBA e-BRIDGE Viewer\e-BRIDGE Viewer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
F:\new utils CD\dds.scr

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://www.dell.com
uSearch Bar = hxxp://www.mirarsearch.com/?useie5=1&q=
uStart Page = hxxp://www.google.ca/
mSearch Bar = hxxp://www.mirarsearch.com/?useie5=1&q=
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ToshibaGLDocMon] "c:\program files\toshiba\toshiba e-studio client\GLDocMon.exe"
uRun: [EBViewer] c:\program files\toshiba\toshiba e-studio client\toshiba e-bridge viewer\e-BRIDGE Viewer.exe /q
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SetDefPrt] c:\program files\brother\brmfl04a\BrStDvPt.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210024136066
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: igfxcui - igfxsrvc.dll
Notify: PCANotify - PCANotify.dll
Hosts: 78.159.110.36 www.google.no
Hosts: 78.159.110.36 www.google.com.mx
Hosts: 78.159.110.36 www.google.co.za
Hosts: 78.159.110.36 www.google.fi
Hosts: 78.159.110.36 www.google.dk

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-1-18 114768]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-5-5 16984]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-4-21 10901]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-18 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2010-1-18 138680]
R2 eBVServ;eBVServ;c:\program files\toshiba\toshiba e-studio client\toshiba e-bridge viewer\eBVServ.exe [2007-10-17 69632]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-9-21 54752]
R2 NProtectService;Norton Unerase Protection;c:\progra~1\norton~1\norton~2\NPROTECT.EXE [2003-9-10 81920]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2004-10-8 585728]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2010-1-18 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2010-1-18 352920]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S4 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2003-5-29 106496]

=============== Created Last 30 ================

2010-01-19 19:44:27 15 ----a-w- c:\documents and settings\reception\settings.dat
2010-01-19 14:27:04 0 d-----w- c:\program files\Process Revealer Free Edition
2010-01-19 14:27:04 0 d-----w- c:\docume~1\alluse~1\applic~1\prfree
2010-01-18 18:04:52 0 d-----w- c:\windows\system32\appmgmt
2010-01-18 17:16:57 0 d-----w- c:\docume~1\recept~1\applic~1\Malwarebytes
2010-01-18 17:16:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-18 17:16:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-18 17:16:46 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-18 17:16:46 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-15 16:54:13 756736 ----a-w- c:\windows\system32\drivers\cnxvu.sys
2010-01-15 16:54:10 0 ----a-w- c:\windows\system32\IS15.exe
2010-01-15 16:53:52 2931 ----a-w- c:\windows\system32\warning.html

==================== Find3M ====================

2010-01-18 17:40:26 1607 ----a-w- c:\windows\system32\nodes.txt.tmp

============= FINISH: 14:54:03.93 ===============

Attached Files


BSW
Strength and Conditioning Coach, Northern Alliance Mixed Martial Arts Competition Team (Join us on Facebook!)

BC AdBot (Login to Remove)

 


#2 BSW

BSW
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 19 January 2010 - 08:23 PM

Well, had the computer sitting idle while I awaited reply. Anyway it froze up. Upon reboot it bluescreens, even in safemode, with a STOP 00000007 error.

Likely just going to format it, backing up the data now... any information on what I could have done would be appreciated based on the logs, just for future reference.
BSW
Strength and Conditioning Coach, Northern Alliance Mixed Martial Arts Competition Team (Join us on Facebook!)

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,827 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:11 PM

Posted 25 January 2010 - 09:52 AM

Please let me know if you want help trying to get it boot again or if you already reformatted.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,827 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:11 PM

Posted 03 February 2010 - 10:21 AM

Due to lack of feedback, this topic is now closed.

If you are the original topic starter and you need this topic reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users