Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer infected with Antivirus


  • This topic is locked This topic is locked
6 replies to this topic

#1 Tarawilla

Tarawilla

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 10 February 2010 - 08:35 PM

My computer has become infected with a virus... Antivirus I believe. It wants me to download specific antivirus software to remove. It has disabled my Avast software, along with not allowing me to access any exe files. It continuously pops up with its warnings. I am currently working in safemode.

Also, I tried the Malwarebytes fix suggested elsewhere on this site. I was unable to get it to update. I ran the program to do a full scan, but that had no effect on this particular virus.

DDS (Ver_09-12-01.01) - NTFSx86 NETWORK
Run by User at 13:02:15.09 on Wed 02/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2601 [GMT -8:00]

AV: avast! antivirus 4.8.1368 [VPS 100210-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\User\My Documents\Clean This bleep UP\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7c4e6606-dedf-4bb2-a422-44efe9468b0b} - pagumuzu.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
mRun: [ASUS Update Checker] c:\program files\asus\asusupdate\updatechecker\UpdateChecker.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [crasxuyp] c:\documents and settings\user\local settings\application data\twomlq\yrdysftav.exe
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Atmospherica.xtreme
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1247039567667
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1247039522960
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SSODL: gawukazad - {bc5967da-e57a-45ec-8b9b-d4aa8dcddc8f} - c:\windows\system32\fetunigu.dll
STS: tokatiluy: {bc5967da-e57a-45ec-8b9b-d4aa8dcddc8f} - c:\windows\system32\fetunigu.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli tewejasa.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\aodmjnut.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-7-8 114768]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 74480]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-7-8 20560]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-7-8 138680]
S3 adxapie;adxapie;c:\docume~1\user\locals~1\temp\adxapie.sys [2007-8-16 31744]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-7-8 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-7-8 352920]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]

=============== Created Last 30 ================

2010-02-09 08:08:41 0 d-----w- c:\program files\Yahoo!
2010-02-08 09:46:27 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-02-08 09:41:47 0 d-----w- c:\program files\VUGames
2010-01-28 21:10:21 269 ----a-w- c:\windows\wininit.ini
2010-01-17 10:42:27 0 d-----w- c:\program files\VideoLAN
2010-01-14 11:27:40 839680 ----a-w- c:\windows\system32\lameACM.acm
2010-01-14 11:27:40 414 ----a-w- c:\windows\system32\lame_acm.xml
2010-01-14 11:27:40 38 ----a-w- c:\windows\avisplitter.ini
2010-01-14 11:27:39 881664 ----a-w- c:\windows\system32\xvidcore.dll
2010-01-14 11:27:39 630784 ----a-w- c:\windows\system32\vp7vfw.dll
2010-01-14 11:27:39 39936 ----a-w- c:\windows\system32\huffyuv.dll
2010-01-14 11:27:39 217088 ----a-w- c:\windows\system32\yv12vfw.dll
2010-01-14 11:27:39 205824 ----a-w- c:\windows\system32\xvidvfw.dll
2010-01-14 11:27:39 118784 ----a-w- c:\windows\system32\ac3acm.acm
2010-01-14 11:27:38 547 ----a-w- c:\windows\system32\ff_vfw.dll.manifest
2010-01-14 11:27:37 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-01-14 11:27:36 0 d-----w- c:\program files\K-Lite Codec Pack
2010-01-14 10:44:26 178176 ----a-w- c:\windows\system32\unrar.dll
2010-01-13 18:33:55 0 d-----w- C:\c666a4c674bfe788569e888ee641bd
2010-01-13 12:38:29 470528 ------w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2010-01-30 04:27:52 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-12-30 22:55:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-30 22:54:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-11-14 00:47:28 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47:28 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47:28 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47:28 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47:28 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47:28 696320 ----a-w- c:\windows\system32\DivX.dll

============= FINISH: 13:02:36.65 ===============

Attached Files


Edited by Tarawilla, 10 February 2010 - 08:51 PM.


BC AdBot (Login to Remove)

 


#2 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:04:34 PM

Posted 10 February 2010 - 09:44 PM

Greetings Tarawilla and Welcome to the Forums,

May we see the GMER log now please?

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#3 Tarawilla

Tarawilla
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 10 February 2010 - 09:50 PM

Here is the GMER log you requested

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-10 17:29:52
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\uxddqpob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@

---- EOF - GMER 1.0.15 ----


#4 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:04:34 PM

Posted 10 February 2010 - 10:23 PM

Great thanks! Please uninstall the following software:
µTorrent
Adobe Reader 8.1.1
Java™ 6 Update 13
...reboot when finished uninstalling.

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

If you have Windows Vista, you can skip the recovery console step...in Vista it's in the System Recovery Options menu. The System Recovery Options menu is on the Windows Vista installation disc. If Windows doesn't start correctly, you can use these tools to repair startup problems.


The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a log file for you. Please post that log back here on your next reply. Thanks!

Note:
Do not mouseclick combofix's window while it's running....that may cause the scan to stall




Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#5 Tarawilla

Tarawilla
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 10 February 2010 - 10:50 PM

Adobe Reader 8.1.1
Java™ 6 Update 13

It will not let me uninstall these in safemode, not sure if there is something I can do to remedy that. I cannot, atm work with computer in reg mode. Unsure what needs to be done at this point.

Thank you, btw for your replies.

#6 Tarawilla

Tarawilla
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 11 February 2010 - 03:18 AM

Wanted to let you know that the problem is now fixed. I was able to get Malwarebytes to update by going into LAN settings and checking Automatically detect settings. Once the update was successful, I ran another full scan and Malwarebytes found and cleaned it up.

Thank you again for you help

#7 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:04:34 PM

Posted 11 February 2010 - 09:37 AM

So glad you were able to sort it out. You can delete these:
DDS
GMER
Ark.txt

Now that your system is clean and running the way you expect, let's create a new restore point you can refer to should the need arise at some point in the future.

Please click "Start->Programs->Accessories->System Tools->System Restore". In the new window, check the 'Create a restore point' in the right pane and click "Next". In the "Restore point description" textbox, name your restore point to something you will easily recognize. I recommend something like yyyymmdd_Clean (ex. 20090101_Clean) Click "Create" and reboot your computer.

To assist in the prevention of spyware infections:

Immunize your browser by installing Spywareblaster. What does it do?
  • Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
  • Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  • Restricts the actions of potentially unwanted sites in Internet Explorer.
Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

Web of Trust, (WOT,) warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
WOT has an addon available for both Firefox and IE.

Install the Winpatrol security monitor utility. WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. What I hear most from users is how much they like the startup control feature and it's ease of use. Need help understanding something about Winpatol? Here it is.

Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason.

You should always have at least (but not more than ) one of these types of third party firewalls running on board:
Sunbelt Personal Firewall
Zone Alarm
Outpost Free
Comodo This download includes the HopSurf toolbar.
Beware

By installing this toolbar, you grant Comodo permission to collect information about your Internet usage. Read the HopSurf EULA. If you DONT WANT IT be sure to remove the check from the box when presented during the installation. Don't be too alarmed by this caveat...I highly recommend this firewall, but it may just be best suited for advanced users.

Install the free security tool "Secunia PSI" to help protect your system against software vulnerabilities. The free utility scans your system's software applications and offers a one button "Download "Solution" feature that updates the exploited software AND provides other related information/patching if warranted.

Stay updated with the most recent Windows patches as well...using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.

Using an alternate browser can reduce your chance of certain infections installing themselves. I recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.

If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

Run CCleaner often. The Yahoo Toolbar is included by default during the installation...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser" option during installation setup or else just download the Slim version (no toolbar...last download link at the bottom of that page)...

Or if you just want to run your on board Disk Cleanup:
("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:
Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files. Don't forget to defrag the system.

So how did I get infected in the first place?
Regards, and Happy Surfing!

This issue appears resolved and the thread is closed to prevent others from posting here.
Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users