Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with virus


  • This topic is locked This topic is locked
6 replies to this topic

#1 EricaT

EricaT

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 03 February 2010 - 06:39 PM

Hello there,
Just about an hour ago I my desktop was infected with a virus. Somehow, the computer instantly installed an antivirus by the name of "Antivrus Soft." This antivirus kept giving me small popup windows at the bottom right corner telling me that my computer was infected and in order for me to access my own computer files, I had to register for an Antivirus Soft key/account.
I Googled it up and didn't find good reports on it. I assumed that was the source of my problem. I tried going the add/remove to remove the program (I thought it sounded like a good idea) but I wasn't able to open it up. In matter of fact, I wasn't able to open multiple programs like Malwarebytes, Task manager, My Computer...etc. The errors had said that the dll files to each file was infected, and therefore could not be opened. I also scanned my computer with Norton, but there weren't any hits on the virus except for a cookie...Anyway here are the logs. I hope you nice and knowledgeable people are able to help me. Thanks a bunch!

Here are the DDS, attach and rootrepeal logs, all in sequential order





Attached Files



BC AdBot (Login to Remove)

 


#2 EricaT

EricaT
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 03 February 2010 - 07:00 PM

Sorry.. I just saw a guide on how to remove antivirus soft. Maybe I'll use that first. Sorry. I'll report back here with any other questions.

#3 EricaT

EricaT
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 04 February 2010 - 06:29 PM

Sorry... Ok..so yesterday,I followed the steps listed in the Spyware Removal section, as displayed on top of the page, but Antivirus Soft once again intruded in my desktop the next day. I used rkill in safe mode and ran Malwarebytes. One backdoor virus appeared in the Malwarebyte log. I deleted that and thought my computer was back to normal again. Today, when I turned the computer on again, once again Antivirus Soft appeared on my desktop. I ran rkill in safe mode and Malwarebytes again, but no virus entries showed up. I'm actually running Malwarebytes again but not in safe mode. Here are the logs I recorded from the DDS, Attach andd rootrepeal. Thanks for looking at this in advance.


I just finished the Malwarebytes scan and nothing showed up although Antivirus Soft is still on my computer.



DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 3:08:15,48 on 04.02.2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2771 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lexmark 5400 Series\lxctmon.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Documents and Settings\Administrator\Local Settings\Application Data\dxmdnt\xssfsftav.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\program files\steam\steam.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\dxmdnt\xssfsftav.exe
C:\Documents and Settings\Administrator\Desktop\RootRepeal.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
svchost.exe
C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: SearchHook Class: {bc86e1ab-eda5-4059-938f-ce307b0c6f0a} - c:\program files\devicevm\browser configuration utility\AddressBarSearch.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: BHO Class: {dd92de22-ed91-4560-b788-dee2b26612e6} - c:\program files\devicevm\browser configuration utility\IEHelper.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-IE /HIDEBL
uRun: [dqiahgrh] c:\documents and settings\administrator\local settings\application data\dxmdnt\xssfsftav.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [lxctmon.exe] "c:\program files\lexmark 5400 series\lxctmon.exe"
mRun: [Lexmark 5400 Series Fax Server] "c:\program files\lexmark 5400 series\fm3032.exe" /s
mRun: [EzPrint] "c:\program files\lexmark 5400 series\ezprint.exe"
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [dqiahgrh] c:\documents and settings\administrator\local settings\application data\dxmdnt\xssfsftav.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
uPolicies-explorer: MaxRecentDocs = 18 (0x12)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
uPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\1r9ijf2o.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/?src=aim&ncid=snsusaimc00000001
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 amdide1;amdide1;c:\windows\system32\drivers\amdide1.sys [2009-2-12 9096]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-2-4 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-2-4 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2010-2-4 155160]
R2 BCUService;Browser Configuration Utility Service;c:\program files\devicevm\browser configuration utility\BCUService.exe [2010-2-1 212232]
R2 ES lite Service;ES lite Service for program management.;c:\program files\gigabyte\easysaver\essvr.exe [2010-2-1 68136]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-2-3 236368]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2010-2-4 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2010-2-4 352920]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-2-3 19160]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-2-1 1684736]

=============== Created Last 30 ================

2010-02-04 09:36:46 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-02-03 14:44:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2010-02-03 12:05:28 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-02-03 12:05:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-03 12:05:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-03 12:05:15 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-03 12:05:15 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-03 05:57:39 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2010-02-03 05:57:38 265728 ------w- c:\windows\system32\dllcache\http.sys
2010-02-03 05:57:38 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2010-02-02 06:10:59 0 d-----w- c:\program files\AIM Toolbar
2010-02-02 06:10:59 0 d-----w- c:\docume~1\alluse~1\applic~1\AIM Toolbar
2010-02-02 06:10:56 0 d-----w- c:\program files\common files\Software Update Utility
2010-02-02 06:10:48 0 d-----w- c:\docume~1\alluse~1\applic~1\AIM
2010-02-02 06:10:43 0 d-----w- c:\program files\AIM
2010-02-02 06:10:40 0 d-----w- c:\program files\common files\AOL
2010-02-02 06:10:30 457 ---ha-w- C:\IPH.PH
2010-02-02 06:02:57 0 d-----w- c:\docume~1\admini~1\applic~1\5400 Series
2010-02-01 18:46:37 0 d-----w- c:\program files\common files\ODBC
2010-02-01 18:46:33 0 d-----w- c:\program files\common files\SpeechEngines
2010-02-01 18:44:16 0 d-----r- c:\documents and settings\all users\Documents
2010-02-01 18:35:14 0 d-----w- c:\program files\Ventrilo
2010-02-01 18:34:55 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-02-01 18:28:30 0 d-----w- c:\program files\common files\Symantec Shared
2010-02-01 18:24:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-02-01 18:24:18 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-02-01 18:21:44 0 d-----w- c:\program files\Steam
2010-02-01 18:21:11 0 d-----w- c:\program files\Realtek
2010-02-01 18:20:54 0 d-----w- c:\program files\AMD
2010-02-01 18:20:35 0 d--h--w- c:\program files\DeviceVM
2010-02-01 18:20:22 0 d-----w- c:\program files\Gigabyte
2010-02-01 18:12:14 0 d-----w- c:\program files\MSXML 4.0
2010-02-01 18:09:26 0 d-----w- c:\program files\MediaLooks
2010-02-01 18:09:20 0 d-----w- c:\program files\QuickTime Alternative
2010-02-01 18:09:07 0 d-----w- c:\program files\K-Lite Codec Pack
2010-02-01 18:08:59 0 d-----w- c:\program files\Foxit Software
2010-02-01 18:08:59 0 d-----w- c:\docume~1\admini~1\applic~1\Foxit
2010-02-01 18:08:53 0 d-----w- c:\program files\CCleaner
2010-02-01 18:08:50 0 d-----w- c:\program files\Unlocker
2010-02-01 18:08:26 0 d-----w- c:\program files\UPHClean
2010-02-01 18:08:21 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-02-01 17:59:17 0 d-sh--w- c:\documents and settings\all users\DRM
2010-02-01 17:59:00 0 d--h--w- c:\program files\WindowsUpdate
2010-02-01 17:58:46 0 d-----w- c:\program files\Windows Media Connect 2
2010-02-01 17:58:28 0 d-----w- c:\program files\common files\MSSoap
2010-02-01 16:19:25 0 d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
2010-02-01 16:19:17 0 d-----w- c:\program files\NVIDIA Corporation
2010-02-01 16:17:35 0 d-----w- c:\program files\lx_cats
2010-02-01 16:16:53 0 d-----w- c:\docume~1\alluse~1\applic~1\5400 Series
2010-02-01 16:16:45 0 d-----w- c:\program files\Lexmark Toolbar
2010-02-01 16:16:40 0 d-----w- c:\program files\Lexmark 5400 Series

==================== Find3M ====================

2010-02-04 11:08:06 17488 ----a-w- c:\windows\gdrv.sys
2010-02-01 18:08:05 410984 ----a-w- c:\windows\system32\deploytk.dll
2010-02-01 17:57:22 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-01-12 06:17:44 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-01-12 06:17:44 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-01-12 06:17:44 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-01-12 06:17:44 13666408 ----a-w- c:\windows\system32\nvcpl.dll
2010-01-12 06:17:44 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-01-12 06:17:40 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-01-12 04:03:33 6359168 ----a-w- c:\windows\system32\nv4_disp.dll
2010-01-12 04:03:33 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-01-12 04:03:33 4104192 ----a-w- c:\windows\system32\nvcuda.dll
2010-01-12 04:03:33 4077672 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-01-12 04:03:33 2283526 ----a-w- c:\windows\system32\nvdata.bin
2010-01-12 04:03:33 2259560 ----a-w- c:\windows\system32\nvcuvid.dll
2010-01-12 04:03:33 182888 ----a-w- c:\windows\system32\nvcodins.dll
2010-01-12 04:03:33 182888 ----a-w- c:\windows\system32\nvcod.dll
2010-01-12 04:03:33 14458880 ----a-w- c:\windows\system32\nvoglnt.dll
2010-01-12 04:03:33 11632640 ----a-w- c:\windows\system32\nvcompiler.dll
2010-01-12 04:03:33 1081344 ----a-w- c:\windows\system32\nvapi.dll
2010-01-12 04:03:33 10276768 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-11-21 15:51:04 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

============= FINISH: 3:09:39,81 ===============





UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 01.02.2010 10:00:37
System Uptime: 02.04.2010 03:07:07 (-1368 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | GA-MA785GM-US2H
Processor: AMD Athlon™ II X2 240 Processor | Socket M2 | 2812/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 35 GiB total, 20,169 GiB free.
D: is Removable
E: is FIXED (NTFS) - 39 GiB total, 5,192 GiB free.
F: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 01.02.2010 10:02:55 - System Checkpoint
RP2: 01.02.2010 10:05:21 - Installed Windows KB954550-v5.
RP3: 01.02.2010 10:05:25 - Printer Driver Microsoft XPS Document Writer Installed
RP4: 01.02.2010 10:07:42 - Installed Microsoft Visual C++ 2005 Redistributable
RP5: 01.02.2010 10:07:51 - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
RP6: 01.02.2010 10:08:02 - Installed Java™ 6 Update 12
RP7: 01.02.2010 10:08:25 - Installed User Profile Hive Cleanup Service
RP8: 01.02.2010 10:08:33 - Installed Alt-Tab Task Switcher Powertoy for Windows XP
RP9: 01.02.2010 10:08:46 - Installed Microsoft AppLocale

==== Installed Programs ======================

7-Zip 4.65
Adobe Flash Player 10 Plugin
AIM 7
AIM Toolbar
Alt-Tab Task Switcher Powertoy for Windows XP
AMD Processor Driver
avast! Antivirus
Browser Configuration Utility
CCleaner (remove only)
Counter-Strike: Source
Download Updater (AOL LLC)
EasySaver B9.0610.1
Foxit Reader
HashCheck Shell Extension (x86-32)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB976098-v2)
Java™ 6 Update 12
K-Lite Mega Codec Pack 4.6.2
Left 4 Dead 2
Lexmark 5400 Series
Malwarebytes' Anti-Malware
MediaLooks QuickTime Source 1.7.0.3 (DirectShow Filter)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft AppLocale
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Windows Application Compatibility Database
Mozilla Firefox (3.6)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA nView Desktop Manager
Open Command Prompt Shell Extension (x86-32)
QuickTime Alternative 2.8.0
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Steam
Unlocker 1.8.7
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
User Profile Hive Cleanup Service
Ventrilo Client
WebFldrs XP
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2

==== Event Viewer Messages From Past Week ========

04.02.2010 01:25:30, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
04.02.2010 01:20:22, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
03.02.2010 05:19:42, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
03.02.2010 04:04:41, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
03.02.2010 02:32:33, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
03.02.2010 02:31:37, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdPPM BHDrvx86 ccHP eeCtrl Fips IDSxpx86 IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SRTSPX SYMTDI Tcpip
03.02.2010 02:31:37, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
03.02.2010 02:31:37, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
03.02.2010 02:31:37, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
03.02.2010 02:31:37, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
03.02.2010 02:30:55, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
03.02.2010 00:53:30, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IDSxpx86
01.02.2010 10:12:22, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x8007f0ea: Cumulative Security Update for Internet Explorer 7 for Windows XP (KB978207).

==== End Of File ===========================



ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2010/02/04 03:08
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAEEAA000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xB85DC000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAEA81000 Size: 49152 File Visible: No Signed: -
Status: -

Name: uphcleanhlp.sys
Image Path: C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
Address: 0xAE1A6000 Size: 8960 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\System Volume Information\_restore{0F94C534-1BE3-4D3D-B8B5-3D2D9D7D0563}\RP9\A0006401.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{0F94C534-1BE3-4D3D-B8B5-3D2D9D7D0563}\RP9\A0006402.lnk
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaef92576

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaef92432

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaef92910

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaef9200a

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaef9250c

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaef91f4a

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaef91fae

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaef9262c

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaef925ec

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xaef9276c

#: 263 Function Name: NtUnloadKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\uphcleanhlp.sys" at address 0xae1a66d0

==EOF==

Attached Files


Edited by EricaT, 04 February 2010 - 07:16 PM.


#4 EricaT

EricaT
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 04 February 2010 - 09:42 PM

What other malware scans can I use to actually detect this virus? Malwarebytes didn't pick anything up.


===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days, up to more than a week, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Elise - forum moderator

Edited by elise025, 05 February 2010 - 09:13 AM.


#5 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:08 AM

Posted 10 February 2010 - 12:41 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#6 EricaT

EricaT
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:09:08 PM

Posted 10 February 2010 - 02:12 PM

I've already resolved the issue. Thank you. I'm sorry if this has caused any inconvenience for you guys. You may remove this thread if you wish. Thanks and sorry.

#7 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:08 AM

Posted 10 February 2010 - 04:25 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. smile.gif

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users