Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avast Disabled, Searches Redirected, Services Crashing


  • This topic is locked This topic is locked
2 replies to this topic

#1 Xagest

Xagest

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 11 February 2010 - 02:13 AM

A friend sent me his computer for me to diagnose, and so far the usual methods haven't been working. MalwareBytes produces nothing, and Avast's bootscan brings up nothing. There's nothing suspicious in the HiJackThis log as far as I can tell, either. I've also used Spybot S&D.

Anyway, this bug seems to have disabled my Avast On Access Protection permenantly. It redirects google searches to adware sites. It deleted the System Restore files. Also, I get crashing services that prompt for computer restarts (DCOM and Plug and Play). I suspect I have a rootkit, but you guys can probably guess better.

I also noticed that if I try to do a windows update to Vista SP2, I get thrown into a STOP 7B blue screen error. I'm only able to get out of this from a set of registry keys I've backed up. Don't know if that's related, but I had to disable windows update to prevent SP2 from installing

DDS (Ver_09-12-01.01) - NTFSx86
Run by TR PLASTER at 23:43:45.10 on Wed 02/10/2010
Internet Explorer: 8.0.6001.18882
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uSearch Page =
uStart Page = hxxp://ww2.cox.com/myconnection/arizona/home.cox
uSearch Bar =
mStart Page = hxxp://www.yahoo.com
mDefault_Page_URL = hxxp://www.yahoo.com
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {D0523BB4-21E7-11DD-9AB7-415B56D89593} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\myesse~1.lnk - c:\program files\my essentials\usb me1001-usb\wireless utility\O-Maxwcui.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-02-11 05:41:41 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-02-11 04:46:52 0 d-----w- c:\program files\Sophos
2010-02-11 02:08:28 58962784 ----a-w- c:\windows\system32\confi.reg
2010-02-11 01:15:45 98816 ----a-w- c:\windows\sed.exe
2010-02-11 01:15:45 77312 ----a-w- c:\windows\MBR.exe
2010-02-11 01:15:45 261632 ----a-w- c:\windows\PEV.exe
2010-02-11 01:15:45 161792 ----a-w- c:\windows\SWREG.exe
2010-02-11 01:15:28 0 d-s---w- C:\ComboFix
2010-02-11 00:19:33 0 d-----w- c:\windows\system32\SPReview
2010-02-09 01:58:49 0 d-----w- c:\program files\TrendMicro
2010-02-09 01:54:06 0 d-----w- c:\program files\Microsoft
2010-02-09 01:54:04 0 d-----w- c:\program files\MSN Toolbar
2010-02-09 01:53:34 0 d-----w- c:\program files\MSN Toolbar Installer
2010-02-08 22:41:49 0 d-----w- c:\windows\system32\drivers\backup
2010-02-02 04:36:02 0 d-----w- c:\windows\system32\EventProviders
2010-02-02 04:34:55 0 d-----w- c:\users\trplas~1\appdata\roaming\Malwarebytes
2010-02-02 04:34:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-02 04:34:49 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-02 04:34:49 0 d-----w- c:\programdata\Malwarebytes
2010-02-02 04:34:49 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-02 01:32:31 0 d-----w- c:\program files\Ad-Aware SE Personal
2010-01-30 02:56:17 53328 ------w- c:\windows\system32\drivers\aswMonFlt.sys
2010-01-30 02:28:48 212 ----a-w- c:\windows\wininit.ini
2010-01-30 01:51:42 0 d-----w- c:\programdata\Alwil Software
2010-01-13 07:43:30 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 07:43:29 72704 ----a-w- c:\windows\system32\fontsub.dll

==================== Find3M ====================

2010-02-11 00:25:38 86016 ----a-w- c:\windows\inf\infstrng.dat
2010-02-11 00:25:38 86016 ----a-w- c:\windows\inf\infstor.dat
2010-02-11 00:25:38 51200 ----a-w- c:\windows\inf\infpub.dat
2010-02-11 00:23:08 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-14 18:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-26 09:39:43 4609 ----a-w- c:\windows\1z90backdoor5325.dll
2009-12-21 14:02:04 8106 ----a-w- c:\windows\system32\671hac9zoo588.bin
2009-12-21 09:43:42 5990 ----a-w- c:\windows\20553spamb9taz.dll
2009-12-20 13:53:55 15809 ----a-w- c:\windows\system32\9da6zparse58.dll
2009-12-19 20:16:20 10899 ----a-w- c:\windows\system32\z87dthre5t92529.exe
2009-12-19 07:18:13 11058 ----a-w- c:\windows\4515a9dzare3137.dll
2009-12-18 01:18:15 15145 ----a-w- c:\windows\system32\9a39spar5e2295z.bin
2009-12-17 08:31:29 15457 ----a-w- c:\windows\system32\6b89viz31735.dll
2009-12-16 09:12:32 10553 ----a-w- c:\windows\system32\383sp955z.exe
2009-12-14 02:15:19 15272 ----a-w- c:\windows\65dczddwar95725.bin
2009-12-13 19:54:07 5331 ----a-w- c:\windows\system32\14729sp5mbzt628.bin
2009-12-11 09:09:12 4782 ----a-w- c:\windows\system32\9zaddw5re2703.dll
2009-12-09 14:28:37 14828 ----a-w- c:\windows\system32\30z99wor5430.dll
2009-12-06 04:44:09 15072 ----a-w- c:\windows\41b9s5eal55z.exe
2009-12-06 00:56:16 15907 ----a-w- c:\windows\90za5dware1827.bin
2009-12-03 21:21:04 15333 ----a-w- c:\windows\system32\90395trzj65d.dll
2009-12-02 18:29:14 13593 ----a-w- c:\windows\9a58spa5sz1470.dll
2009-12-01 00:06:09 9354 ----a-w- c:\windows\system32\2z906troj65b9.bin
2009-11-23 19:09:55 7252 ----a-w- c:\windows\715cvzr997.exe
2009-11-23 17:00:45 5662 ----a-w- c:\windows\system32\9459s5y2zd.bin
2009-11-20 21:23:07 6749 ----a-w- c:\windows\19671z5t-a9virus4db.bin
2009-11-20 13:32:05 2716 ----a-w- c:\windows\system32\97624zorm5a9.exe
2009-11-16 21:55:57 11744 ----a-w- c:\windows\4215vzr25669.dll
2009-11-16 13:23:45 15569 ----a-w- c:\windows\4a1zth5eat179469.dll
2009-11-16 11:33:11 5950 ----a-w- c:\windows\system32\96159yware2z95.bin
2009-11-16 08:05:50 5698 ----a-w- c:\windows\5254steaz899.exe
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 23:44:44.91 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:24 AM

Posted 17 February 2010 - 05:19 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
[We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:24 AM

Posted 06 March 2010 - 04:28 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users