Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Alureon?


  • This topic is locked This topic is locked
6 replies to this topic

#1 Pooh85

Pooh85

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:28 PM

Posted 20 January 2010 - 10:07 PM

Help!

DDS (Ver_09-12-01.01) - NTFSx86
Run by 2gopc at 18:35:42.40 on Wed 01/20/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.214 [GMT -8:00]

AV: avast! antivirus 4.8.1368 [VPS 100120-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Intel\Device Control Package\dcs\DCS.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Intel\Device Control Package\IPMA\bin\IPMA.exe
C:\Program Files\Intel\Device Control Package\dcs\TSController.exe
C:\Program Files\Intel\Device Control Package\fnKeyMon\bin\FnKeyHook.exe
C:\Program Files\Intel\My Storage\MyStorage.exe
C:\Program Files\Intel\Easy Network\EasyNetwork.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Vision Objects\MyScript Stylus\MyScriptStylus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\TouchPanelKit\TouchPackService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\2gopc\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uSearch Page =
uSearch Bar =
mSearchAssistant =
uURLSearchHooks: H - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - No File
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [myscriptstylus.exe] "c:\program files\vision objects\myscript stylus\MyScriptStylus.exe" /i
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\audio\drivers\AzMixerSel.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [IPMA.exe] c:\program files\intel\device control package\ipma\bin\IPMA.exe
mRun: [TSController.exe] c:\program files\intel\device control package\dcs\TSController.exe
mRun: [DCS_PW_PROD.exe] c:\program files\intel\device control package\dcs\DCS_PW_PROD.exe
mRun: [FnKeyHook.exe] c:\program files\intel\device control package\fnkeymon\bin\FnKeyHook.exe
mRun: [MyStorage] "c:\program files\intel\my storage\MyStorage.exe"
mRun: [EasyNetwork] c:\program files\intel\easy network\EasyNetwork.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: Add to Evernote - c:\program files\evernote\evernote3\enbar.dll/2000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEE1} - c:\program files\evernote\evernote3\enbar.dll
DPF: {55027008-315F-4F45-BBC3-8BE119764741} - hxxp://static.slide.com/uploader/SlideImageUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v10.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-1-18 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-18 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2010-1-18 138680]
R2 Device Control Service;Device Control Service;c:\program files\intel\device control package\dcs\DCS.exe [2008-11-11 139264]
R2 TouchPack;TouchPack;c:\program files\touchpanelkit\TouchPackService.exe [2009-2-21 57344]
R3 accel;Accelerometer;c:\windows\system32\drivers\accel.sys [2008-10-15 19840]
R3 HPLS;Intel Tablet Sensor Device;c:\windows\system32\drivers\hpls.sys [2008-10-31 14848]
R3 IPMLEBL;Intel IPML ACPI Device;c:\windows\system32\drivers\ipmlebl.sys [2008-11-4 9984]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-1-18 38224]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-1-14 157696]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2009-1-13 637952]
R3 uts_bus;UTStarcom USB Composite Device driver (WDM);c:\windows\system32\drivers\uts_bus.sys [2009-11-2 84352]
R3 uts_mdfl;UTStarcom USB Modem Filter;c:\windows\system32\drivers\uts_mdfl.sys [2009-11-2 14976]
R3 uts_mdm;UTStarcom USB Modem Drivers;c:\windows\system32\drivers\uts_mdm.sys [2009-11-2 110848]
R3 uts_serd;UTStarcom USB Diagnostic Serial Port (WDM);c:\windows\system32\drivers\uts_serd.sys [2009-11-2 90880]
R3 VKBD;Virtual Keyboard Device;c:\windows\system32\drivers\virkbd.sys [2008-11-7 19200]
S2 gupdate1ca630d517910b6;Google Update Service (gupdate1ca630d517910b6);c:\program files\google\update\GoogleUpdate.exe [2009-11-11 133104]
S2 IPMLSrvc;IPMLSrvc;c:\program files\intel\device control package\ipma\bin\IPMLSrvc.exe [2008-11-19 110592]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2010-1-18 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2010-1-18 352920]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]

=============== Created Last 30 ================

2010-01-19 01:50:59 0 d-----w- c:\docume~1\2gopc\applic~1\Malwarebytes
2010-01-19 01:50:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-19 01:50:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-19 01:50:47 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-19 01:50:47 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-19 00:40:11 89 ----a-w- c:\windows\wininit.ini
2010-01-19 00:00:40 0 ----a-w- c:\windows\system32\11478.exe
2010-01-18 23:47:53 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-01-18 23:47:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-01-18 23:36:23 499712 ----a-w- c:\windows\system32\MSVCP71.dll
2010-01-18 23:36:23 348160 ----a-w- c:\windows\system32\MSVCR71.dll
2010-01-18 23:36:23 1060864 ----a-w- c:\windows\system32\MFC71.dll
2010-01-18 20:02:47 0 ----a-w- c:\windows\system32\15724.exe
2010-01-18 19:42:43 0 ----a-w- c:\windows\system32\19169.exe
2010-01-18 19:22:29 0 ----a-w- c:\windows\system32\26500.exe
2010-01-18 19:02:29 0 ----a-w- c:\windows\system32\6334.exe
2010-01-18 17:11:55 0 ----a-w- c:\windows\system32\18467.exe
2010-01-18 13:11:46 1 ----a-w- C:\s
2010-01-06 14:32:41 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-01-06 14:32:41 215920 ----a-w- c:\windows\system32\muweb.dll
2010-01-06 14:32:41 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-01-05 19:39:45 276 -c--a-w- c:\docume~1\2gopc\applic~1\wklnhst.dat

==================== Find3M ====================

2010-01-20 05:32:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-27 00:50:52 411368 -c--a-w- c:\windows\system32\deploytk.dll
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll

============= FINISH: 18:39:26.82 ===============


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/20 18:43
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9D75000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\System Volume Information\_restore{99A62C95-4571-4679-AB9B-B2B2D78545E5}\RP32\A0004852.exe:{C536D4CC-3553-AF11-8371-3242A0273B37}
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{99A62C95-4571-4679-AB9B-B2B2D78545E5}\RP69\A0014112.exe:{52C17856-F511-B2A4-D237-0DB6DF350F5E}
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\2gopc\local settings\temp\~df4c4e.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\2gopc\local settings\temp\~df531.tmp
Status: Allocation size mismatch (API: 65536, Raw: 16384)

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaa0046b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaa004574

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaa004a52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaa00414c

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaa00464e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaa00408c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaa0040f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaa00476e

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaa00472e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaa0048ae

==EOF==

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:28 PM

Posted 26 January 2010 - 05:16 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:28 PM

Posted 29 January 2010 - 01:30 PM

Hello.

Are you still there? Do you still require help?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 Pooh85

Pooh85
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:28 PM

Posted 30 January 2010 - 12:13 AM

Sorry I haven't responded! I'm a friend of the computer owner and I was working on it, but since it was in a more useable state, the owner took it back while we waited for a response here. So, I wont be able to run new logs. The issue now is that it a message pops up saying the computer will restart in 60 seconds. I can't remember exactly what it says, but when I looked it up, it said it is related to malware.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:28 PM

Posted 30 January 2010 - 04:01 PM

Hello.

Without any logs or additional information on the situation I can't do much about the problem unfortunately.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:28 PM

Posted 02 February 2010 - 03:49 PM

Are you still there?
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:28 PM

Posted 04 February 2010 - 08:17 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users