Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Explorer running at 100% - System unusable


  • This topic is locked This topic is locked
11 replies to this topic

#1 Brawgates

Brawgates

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:11:40 PM

Posted 15 March 2010 - 04:43 AM

Hi there icon_hello.gif


I'm convinced that my system is displaying an infection through Internet Explorer. The symptoms appeared less than a week ago. IE starts and runs normally for a short period. After visiting a few apparently safe websites, the system suddenly grinds to a halt. Task Manager then shows IE at or near 100% - even after all web requests have been satisfied.

There seems to be no obvious trigger (eg time after starting IE, number of websites visited, specific url) that causes IE suddenly to demand 100% of the processor.

One further factor may be relevant. After a pause in my browsing activity, I came back to my system to find that IE had jumped to the following url:

hxxp://91.213.157.15/index.php?q=81fd928d42ad28f711ff14c8c2ec84229110520




This was a blank page with the following pop-up:
QUOTE
Warning!

Your computer contains various signs of viruses and malware programs presence. Your system requires immediate anti viruses check! System security will perform a quick and free scanning of your PC for viruses and malicious programs.





I took no action and closed IE through task manager.

No Malware detected by MBAM or SAS.

I've pasted in DDS.Txt and Ark.Txt (from GMER) below, and attached Attach.Txt.

With best wishes

Peter

============================ Start of DDS.Txt ====================================

DDS (Ver_09-12-01.01) - NTFSx86
Run by Admin at 9:12:47.07 on 14/03/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.211 [GMT 0:00]



============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\D-Link\AirPlus XtremeG DWL-G122\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Admin\Desktop\dds.scr


============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [D-Link AirPlus XtremeG DWL-G122] c:\program files\d-link\airplus xtremeg dwl-g122\AirGCFG.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL


============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-9-25 28544]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-14 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 72944]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-14 7408]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [2010-1-19 131152]
R3 TotRec8;Total Recorder WDM audio filter driver;c:\windows\system32\drivers\TotRec8.sys [2010-1-19 90192]
S4 gupdate1c9a10bd7cc5f7f;Google Update Service (gupdate1c9a10bd7cc5f7f);c:\program files\google\update\GoogleUpdate.exe [2009-3-9 133104]


=============== Created Last 30 ================

2010-03-14 08:13:43 0 ----a-w- c:\documents and settings\admin\defogger_reenable
2010-02-26 08:54:59 293376 ------w- c:\windows\system32\browserchoice.exe


==================== Find3M ====================

2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ------w- c:\windows\system32\corpol.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
============= FINISH: 9:13:50.89 ===============

============================ Start of Ark.Txt ====================================
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-15 08:19:27
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Admin\LOCALS~1\Temp\uxtiipoc.sys



---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF4797DF0]
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xF41846D0]


---- EOF - GMER 1.0.15 ----

============================ End of Ark.Txt ====================================

Attached Files


Edited by Orange Blossom, 15 March 2010 - 04:21 PM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:40 AM

Posted 16 March 2010 - 03:57 AM

Hi Peter,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.
  1. This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.

  2. You are missing one important program on that computer: An antivirus.
    This is somewhat suicidal in today's digital world.
    You need to install an antivirus program as soon as you can. I recommend this good free antivirus:

    Avira
    • Download the installer from softpedia.com link as it has a secure download mirror. Install and update it.
    • In the left pane click Status. In the right pane click Scan system now.
    • After the scan finished let it remove what it finds and then Click Report.
    • You can get the last report also by clicking on Reports on the left pane.
    • In the right window under Action double-click on the last Scan listed (you see also the corresponding Dat/Time).
    • A window opens, click on Report file.
    • Copy and paste the content of the report to your reply.


#3 Brawgates

Brawgates
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:11:40 PM

Posted 16 March 2010 - 05:47 AM

Hello Farbar

Many thanks for responding to my post. Much appreciated.

Just one question about Anti-Virus before I proceed with your proposed actions. I do have SuperAntiSpyware Profesional Edition installed and, supposedly, active. Could your comments about my apparent lack of Anti-Virus software be related to settings? unsure.gif

Kind regards

Peter

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:40 AM

Posted 16 March 2010 - 06:41 AM

Hi again Peter,

SuperAntiSpyware, as the name indicates too, is an antispyware/antimalware like Malwarebytes. Though it is sometime able to handle malicious malware it could offer additional protection but by no means it is a replacement for an antivirus.

#5 Brawgates

Brawgates
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:11:40 PM

Posted 17 March 2010 - 03:57 AM

Good Morning Farbar

Many thanks for your elucidation. It would seem that 42 years in IT can allow a certain complacency to creep in. Failure to read what is said on the tin led me assume that SuperAntiSpyware was a superset program, including full AntiVirus management. An assumption re-inforced by SAS detecting a couple of Trojans earlier in the year. I stand corrected - and informed!! poster_oops.gif

Back to the job in hand:

CCleaner
Downloaded, installed and ran as directed. Successful.




Avira
Downloaded, installed, updated and ran as directed. Copy of report follows.




With kind regards

Peter



Avira AntiVir Personal
Report file date: 17 March 2010 00:12


Scanning for 1861868 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : HP-PAVILION


Version information:
BUILD.DAT : 9.0.0.418 21723 Bytes 12/2/2009 16:28:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 11:26:33
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 10:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 11:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 10:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 07:35:52
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 22:52:05
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 23:33:21
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 23:38:11
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 23:42:11
VBASE005.VDF : 7.10.4.204 2048 Bytes 3/5/2010 23:42:11
VBASE006.VDF : 7.10.4.205 2048 Bytes 3/5/2010 23:42:13
VBASE007.VDF : 7.10.4.206 2048 Bytes 3/5/2010 23:42:14
VBASE008.VDF : 7.10.4.207 2048 Bytes 3/5/2010 23:42:17
VBASE009.VDF : 7.10.4.208 2048 Bytes 3/5/2010 23:42:18
VBASE010.VDF : 7.10.4.209 2048 Bytes 3/5/2010 23:42:18
VBASE011.VDF : 7.10.4.210 2048 Bytes 3/5/2010 23:42:18
VBASE012.VDF : 7.10.4.211 2048 Bytes 3/5/2010 23:42:18
VBASE013.VDF : 7.10.4.242 153088 Bytes 3/8/2010 23:42:23
VBASE014.VDF : 7.10.5.17 99328 Bytes 3/10/2010 23:42:26
VBASE015.VDF : 7.10.5.44 107008 Bytes 3/11/2010 23:42:28
VBASE016.VDF : 7.10.5.69 92672 Bytes 3/12/2010 23:42:30
VBASE017.VDF : 7.10.5.91 119808 Bytes 3/15/2010 23:42:36
VBASE018.VDF : 7.10.5.92 2048 Bytes 3/15/2010 23:42:37
VBASE019.VDF : 7.10.5.93 2048 Bytes 3/15/2010 23:42:37
VBASE020.VDF : 7.10.5.94 2048 Bytes 3/15/2010 23:42:37
VBASE021.VDF : 7.10.5.95 2048 Bytes 3/15/2010 23:42:37
VBASE022.VDF : 7.10.5.96 2048 Bytes 3/15/2010 23:42:38
VBASE023.VDF : 7.10.5.97 2048 Bytes 3/15/2010 23:42:38
VBASE024.VDF : 7.10.5.98 2048 Bytes 3/15/2010 23:42:38
VBASE025.VDF : 7.10.5.99 2048 Bytes 3/15/2010 23:42:39
VBASE026.VDF : 7.10.5.100 2048 Bytes 3/15/2010 23:42:39
VBASE027.VDF : 7.10.5.101 2048 Bytes 3/15/2010 23:42:39
VBASE028.VDF : 7.10.5.102 2048 Bytes 3/15/2010 23:42:40
VBASE029.VDF : 7.10.5.103 2048 Bytes 3/15/2010 23:42:40
VBASE030.VDF : 7.10.5.104 2048 Bytes 3/15/2010 23:42:40
VBASE031.VDF : 7.10.5.109 54784 Bytes 3/16/2010 23:42:42
Engineversion : 8.2.1.180
AEVDF.DLL : 8.1.1.3 106868 Bytes 3/16/2010 23:44:59
AESCRIPT.DLL : 8.1.3.17 1032570 Bytes 3/16/2010 23:44:58
AESCN.DLL : 8.1.5.0 127347 Bytes 3/16/2010 23:44:50
AESBX.DLL : 8.1.2.0 254323 Bytes 3/16/2010 23:45:01
AERDL.DLL : 8.1.4.2 479602 Bytes 3/16/2010 23:44:48
AEPACK.DLL : 8.2.1.0 426356 Bytes 3/16/2010 23:44:41
AEOFFICE.DLL : 8.1.0.39 196987 Bytes 3/16/2010 23:43:45
AEHEUR.DLL : 8.1.1.7 2326902 Bytes 3/16/2010 23:43:41
AEHELP.DLL : 8.1.10.1 237942 Bytes 3/16/2010 23:42:56
AEGEN.DLL : 8.1.2.0 373107 Bytes 3/16/2010 23:42:53
AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 07:38:26
AECORE.DLL : 8.1.12.2 188790 Bytes 3/16/2010 23:42:47
AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 07:38:20
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 08:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 15:14:02
AVREP.DLL : 8.0.0.7 159784 Bytes 3/16/2010 23:45:08
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 10:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 15:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 10:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 15:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 08:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 10:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 15:39:58
RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 12:25:47


Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, F:, G:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium


Start of the scan: 17 March 2010 00:12

Starting search for hidden objects.
'49930' objects were checked, '0' hidden objects were found.


The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'FINDFAST.EXE' - '1' Module(s) have been scanned
Scan process 'SUPERAntiSpyware.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'ISUSPM.exe' - '1' Module(s) have been scanned
Scan process 'WZCSLDR2.exe' - '1' Module(s) have been scanned
Scan process 'AirGCFG.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'uphclean.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'E_S30RP1.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
30 processes with 30 modules were scanned


Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!


Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'F:\'
[INFO] No virus was found!
Boot sector 'G:\'
[INFO] No virus was found!


Starting to scan executable files (registry).
The registry was scanned ( '56' files ).



Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\System Volume Information\_restore{A0672BCF-EA7E-4B90-8BF2-69A64F43E724}\RP58\A0007628.dll
[DETECTION] Is the TR/Trash.Gen Trojan
Begin scan in 'F:\' <Data>
Begin scan in 'G:\' <Backup>


Beginning disinfection:
C:\System Volume Information\_restore{A0672BCF-EA7E-4B90-8BF2-69A64F43E724}\RP58\A0007628.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4bd08d37.qua'!



End of the scan: 17 March 2010 08:04
Used time: 1:46:41 Hour(s)


The scan has been done completely. 8641 Scanned directories
274088 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
274085 Files not concerned
3643 Archives were scanned
2 Warnings
3 Notes
49930 Objects were scanned with rootkit scan
0 Hidden objects were found




#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:40 AM

Posted 17 March 2010 - 06:06 AM

Avira found an infected file in the System Volume Information folder and it could be from a prior, currently not active, infection.
Let's run ComboFix too to make sure.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • You will get a warning about the not trusted download sites for ComboFix, click Yes.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#7 Brawgates

Brawgates
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:11:40 PM

Posted 17 March 2010 - 07:03 PM

Farbar

Downloaded ComboFix from Link 2. Copy of Log File attached. Microsoft Windows Recovery Console had been installed previously.

Regards


Peter


ComboFix 10-03-17.04 - Admin 17/03/2010 22:43:18.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.249 [GMT 0:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.


((((((((((((((((((((((((( Files Created from 2010-02-17 to 2010-03-17 )))))))))))))))))))))))))))))))
.


2010-03-17 00:04 . 2010-03-17 00:04 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Google
2010-03-16 22:37 . 2010-03-16 22:37 -------- d-----w- c:\windows\LastGood
2010-03-16 22:37 . 2009-11-25 11:19 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-03-16 22:37 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-03-16 22:37 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-03-16 22:37 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-03-16 22:37 . 2010-03-16 22:37 -------- d-----w- c:\program files\Avira
2010-03-16 22:37 . 2010-03-16 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-03-16 20:48 . 2010-03-16 20:48 -------- d-----w- c:\program files\CCleaner
2010-02-26 08:54 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe


.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-17 22:11 . 2010-01-11 22:57 117760 ----a-w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-17 09:07 . 2010-01-12 08:27 117760 ----a-w- c:\documents and settings\Peter Field\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-09 23:20 . 2007-11-08 08:18 21320 ----a-w- c:\documents and settings\Peter Field\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-07 01:01 . 2009-12-29 22:01 21320 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-06 23:54 . 2010-02-06 23:54 -------- d-----w- c:\program files\ANI
2010-02-06 23:54 . 2009-12-15 08:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-06 23:53 . 2007-11-08 09:01 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-06 23:53 . 2010-02-06 23:53 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2010-02-06 23:53 . 2010-02-06 23:53 -------- d-----w- c:\program files\D-Link
2010-02-06 23:49 . 2010-02-06 23:49 -------- d-----w- c:\documents and settings\Admin\Application Data\InstallShield
2010-02-06 22:05 . 2010-01-11 22:59 52224 ----a-w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-06 19:28 . 2007-11-07 21:14 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-03 18:22 . 2007-11-14 01:53 -------- d-----w- c:\documents and settings\Peter Field\Application Data\AdobeUM
2010-01-25 23:11 . 2008-08-28 09:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-25 15:29 . 2010-01-25 15:29 -------- d-----w- c:\program files\Lavasoft
2010-01-25 15:09 . 2010-01-25 09:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-25 09:40 . 2008-08-28 07:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-19 10:47 . 2010-01-19 10:36 -------- d-----w- c:\documents and settings\Peter Field\Application Data\TotalRecorder
2010-01-19 09:50 . 2010-01-19 09:50 -------- d-----w- c:\program files\HighCriteria
2010-01-17 13:09 . 2007-11-13 18:50 -------- d-----w- c:\documents and settings\All Users\Application Data\EPSON
2010-01-16 17:03 . 2010-01-14 09:59 52224 ----a-w- c:\documents and settings\Peter Field\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-07 16:07 . 2010-01-14 08:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2010-01-14 08:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00 . 2004-08-03 23:56 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2004-08-03 23:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-03 23:56 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2004-08-03 22:14 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-14 1830128]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"nwiz"="nwiz.exe" [2003-07-28 323584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"D-Link AirPlus XtremeG DWL-G122"="c:\program files\D-Link\AirPlus XtremeG DWL-G122\AirGCFG.exe" [2008-12-19 1556480]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-05-16 213936]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]


c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1998-4-7 111376]


[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll


[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Distiller Assistant 3.01.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Distiller Assistant 3.01.lnk
backup=c:\windows\pss\Distiller Assistant 3.01.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-06 22:53 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avgfws8"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"gupdate1c9a10bd7cc5f7f"=2 (0x2)


[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001


[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=


R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [25/09/2009 15:55 28544]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [14/05/2009 14:22 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [14/05/2009 14:22 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [16/03/2010 22:37 108289]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [14/05/2009 14:22 7408]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [19/01/2010 10:29 131152]
R3 TotRec8;Total Recorder WDM audio filter driver;c:\windows\system32\drivers\TotRec8.sys [19/01/2010 10:29 90192]
S4 gupdate1c9a10bd7cc5f7f;Google Update Service (gupdate1c9a10bd7cc5f7f);c:\program files\Google\Update\GoogleUpdate.exe [09/03/2009 23:07 133104]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - ANTIVIRSCHEDULERSERVICE
*NewlyCreated* - ANTIVIRSERVICE
*NewlyCreated* - AVGIO
*NewlyCreated* - AVGNTFLT
*NewlyCreated* - AVIPBB
*NewlyCreated* - SSMDRV
*Deregistered* - uphcleanhlp
.
Contents of the 'Scheduled Tasks' folder


2010-03-06 c:\windows\Tasks\MBAM Fullscan.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-01-14 16:07]


2010-03-11 c:\windows\Tasks\MBAM Quickscan.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-01-14 16:07]


2010-03-11 c:\windows\Tasks\MBAM Update.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2010-01-14 16:07]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
.


**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-17 22:55
Windows 5.1.2600 Service Pack 3 NTFS


scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------


- - - - - - - > 'winlogon.exe'(660)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll


- - - - - - - > 'explorer.exe'(1328)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-17 23:01:51
ComboFix-quarantined-files.txt 2010-03-17 23:01


Pre-Run: 25,717,714,944 bytes free
Post-Run: 25,804,976,128 bytes free


- - End Of File - - FF4134A607987FADC673195E3F48BB3E




#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:40 AM

Posted 18 March 2010 - 02:14 AM

It looks good Peter. Do you still notice any IE issue?

#9 Brawgates

Brawgates
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:11:40 PM

Posted 18 March 2010 - 07:13 PM

Hi Farbar

Thanks for the encouraging feedback.

From the, albeit rather limited, use of I've been able to make of IE since Avira found and removed the TR/Trash.Gen Trojan infection, all now seems well.

Kind regards

Peter

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:40 AM

Posted 18 March 2010 - 07:51 PM

Good. thumbup2.gif

It is important to uninstall ComboFix.

Go to Start => Run => copy and paste next command in the field then hit enter:

ComboFix /Uninstall

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

Happy Surfing Peter. smile.gif

#11 Brawgates

Brawgates
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:11:40 PM

Posted 21 March 2010 - 02:21 AM

Hello again Farbar

ComboFix removed as you suggested. Access to IE now working normally.

Many thanks for your interest and guidance.

With kind regards

Peter



#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:40 AM

Posted 21 March 2010 - 06:12 AM

You are most welcome Peter. smile.gif

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users