Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ave.exe


  • This topic is locked This topic is locked
2 replies to this topic

#1 seattleyoung

seattleyoung

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 01 April 2010 - 11:23 PM

I got an early version of the virus and it had the flashing antivirus message telling me my computer was infected. Did the mbam clean-up, installed symantec and it somehow disabled the security by replacing the virus definition list with an old one. Once it took over security, it put up a new 'malware antivirus message' that could not be closed. It appears that I can't get rid of this ave.exe.... help! I have attached a screen shot of the mbam error message. I can not access my wireless or internet/firewall settings and am suspicious that the desktop shortcuts have been rerouted to start a worm/virus.

The MBAM (run in safe mode) log is below the DDS (run in safe mode 4/1) and GMER (run in regular mode 4/2) logs...

DDS (Ver_10-03-17.01) - NTFSx86 MINIMAL
Run by Cori at 19:47:48.59 on Wed 03/31/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1765 [GMT -7:00]

AV: Norton Internet Security 2006 *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Symantec Endpoint Protection *On-access scanning enabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
FW: Norton Internet Security 2006 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Cori.COLLABORATIVE1\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070123
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070123
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070123
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoca~1.lnk - c:\program files\common files\autodesk shared\acstart17.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\efax43~1.lnk - c:\program files\efax messenger 4.3\J2GTray.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo2.walgreens.com/WalgreensActivia.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} - hxxp://media.rivals.com/msichat.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {DEA6994F-3ED5-40BC-B5E3-0FD02411B1B4} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_1/PhotoCenter_ActiveX_Control.cab?
DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} - hxxp://photos.msn.com/resources/neutral/controls/DigWebX2.cab?10,0,910,0
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp3.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 tuvttu.dll

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2009-9-17 2477304]
S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\drivers\ADM851X.sys [2007-1-31 22144]
S3 BLKPCIEVGAEX;BLKPCIEVGAEX;c:\windows\system32\drivers\blkgrpex.sys [2007-1-31 254080]
S3 BLKPCIEVGAMR;BLKPCIEVGAMR;c:\windows\system32\drivers\blkgrpmr.sys [2007-1-31 252800]
S3 cmudau32;C-Media USB UDA Sound Interface;c:\windows\system32\drivers\cmudaxu.sys [2007-1-31 1414528]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-7-14 23888]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-12-19 99376]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20081219.005\NAVENG.SYS [2008-12-19 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20081219.005\NAVEX15.SYS [2008-12-19 876112]
S3 XGIGraphics;XGIGraphics;c:\windows\system32\drivers\xg20grp.sys [2007-1-31 282752]

=============== Created Last 30 ================

2010-04-01 02:46:36 0 ----a-w- c:\documents and settings\cori.collaborative1\defogger_reenable
2010-04-01 02:45:22 54016 ----a-w- c:\windows\system32\drivers\wtgey.sys
2010-03-30 16:17:26 0 d-----w- c:\docume~1\cori~1.col\applic~1\Malwarebytes
2010-03-13 17:52:46 3254 ----a-w- c:\windows\system32\wbem\Outlook_01cac2d5fcd8e198.mof
2010-03-11 06:03:52 196 ----a-w- c:\windows\system32\MRT.INI
2010-03-10 21:39:43 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-09 03:35:27 53148 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-08 19:20:55 0 d-----w- c:\program files\iPod
2010-03-08 19:20:50 0 d-----w- c:\program files\iTunes
2010-03-08 19:20:50 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-03-05 18:38:58 162048 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2010-03-05 18:37:11 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2010-03-05 18:36:06 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-03-05 18:36:06 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-03-05 18:36:06 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-03-05 18:36:05 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-03-05 18:35:08 0 d-----w- c:\program files\Symantec AntiVirus
2010-03-05 17:49:12 0 d-----w- c:\windows\pss
2010-03-05 17:48:27 0 ---ha-w- c:\windows\system32\fcyxxu.dll
2010-03-05 17:19:10 0 ---ha-w- c:\windows\system32\awwtur.dll
2010-03-05 16:19:17 0 ---ha-w- c:\windows\system32\vturqp.dll
2010-03-05 00:18:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-05 00:17:59 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-05 00:17:59 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-05 00:17:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-04 23:55:31 0 d-----w- C:\HRB
2010-03-04 05:23:13 0 d-----w- C:\771c7573d0f5dfb7f8934dc38dc477a3
2010-03-04 01:06:32 120 ----a-w- c:\windows\Yrojadote.dat
2010-03-04 01:06:32 0 ----a-w- c:\windows\Ivayahinalu.bin
2010-03-02 06:13:14 0 d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2010-03-30 01:18:41 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-30 01:18:41 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2010-03-26 19:14:04 96512 ----a-w- c:\windows\system32\drivers\atapi.sys.tmp

============= FINISH: 19:49:29.82 ===============



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-02 08:10:48
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\JACOBY~1\LOCALS~1\Temp\fwrdqpob.sys


---- System - GMER 1.0.15 ----

SSDT 8A5CC4B0 ZwAlertResumeThread
SSDT 8A5CD700 ZwAlertThread
SSDT 8A62E8A0 ZwAllocateVirtualMemory
SSDT 8A7F3860 ZwConnectPort
SSDT 8A7F2EC8 ZwCreateMutant
SSDT 8A5EE1E8 ZwCreateThread
SSDT 8AA19E48 ZwFreeVirtualMemory
SSDT 8A72B338 ZwImpersonateAnonymousToken
SSDT 8A5EAC80 ZwImpersonateThread
SSDT 8A5F3598 ZwMapViewOfSection
SSDT 8A804C28 ZwOpenEvent
SSDT 8A873A68 ZwOpenProcessToken
SSDT 8AA26E98 ZwOpenThreadToken
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xA6A87880]
SSDT 8A2D3A50 ZwResumeThread
SSDT 8A871888 ZwSetContextThread
SSDT 8A847308 ZwSetInformationProcess
SSDT 8A87EA50 ZwSetInformationThread
SSDT 8A5B4620 ZwSuspendProcess
SSDT 8A5D2870 ZwSuspendThread
SSDT 8A2DEE10 ZwTerminateProcess
SSDT 8A869810 ZwTerminateThread
SSDT 8A872D08 ZwUnmapViewOfSection
SSDT 8A62EDA0 ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\SYMTDI \Device\SymTDI wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device 9CA4CD20

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device -> \Driver\atapi \Device\Harddisk0\DR0 8A9B2B4C

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----




===========================================================

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

3/31/2010 7:37:11 PM
mbam-log-2010-03-31 (19-37-11).txt

Scan type: Full scan (C:\|)
Objects scanned: 298151
Time elapsed: 2 hour(s), 27 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\Cori.COLLABORATIVE1\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jacob Young\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

Attached Files


Edited by seattleyoung, 02 April 2010 - 01:00 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:27 AM

Posted 04 April 2010 - 06:42 PM

Hi seattleyoung,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum and apologies for the delay. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

If the issue is not resolved please update me on the current condition of your computer and provide new logs if the system has changed since then.

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:27 AM

Posted 10 April 2010 - 10:05 AM

This thread will now be closed due to lack of activity.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users