Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rogue Anti-Virus Software (Your Protection), Google Redirection, error in atapi file


  • This topic is locked This topic is locked
7 replies to this topic

#1 arisingprophet

arisingprophet

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 06 April 2010 - 10:22 PM

Hiya! This morning I managed to somehow get "Your Protection" installed on my computer. After multiple hours of googling, attempts, and what not, MalwareBytes finally uninstalled it. All was good - until I tried to google something and I get redirected constantly. There is no specific website, it is always random, and its driving me insane. Here is the methods I have taken:

The rkill file.
MalwareBytes - this supposedly removed Your Protection
Spybot Search and Destroy - removed a bunch of stuff, around 15 or so. It constantly picks up something like "WindowsSecurtyAlertsAntiVirus". I have ran multiple scans.
SUPERAntiSpyware - this removed multiple trojans I had not found before.
Combofix - alerted to atapi being messed up.
CWShredder - nothing found.
TDSSKiller - It alerts, once again, atapi, but does not do anything about it upon reboot.
HiJackThis! - I removed various BHO's and files associated with Your Protection via it.

I have reinstalled Firefox (the main browser I use), cleared all temporary files for both FF and IE as well as Disk Cleanup. Also, unlike the others that seem to have this problem, I CAN update my MalwareBytes, as well as the various other Spyware tools I use. At this point in time, ALL my programs (MalwareBytes, Spybot, SUPERAntiSpyware) comes up clean. Combofix, TDSSKiller, and GMER are finding things.

I cannot enter safe mode, either - it simply gives me an option to select either my hard drive, my slave drive, or my CD driver to boot from. Upon selecting my master drive (the only one with an OS, obviously), it simply boots as normal.

Not in this order, all based on topics I found for my problem, but none are fully removing the culprit. I've narrowed it down to the atapi file being affected (thanks to combofix, gmer, etc), but I do not have a system disk to insert a new one (this OS was put on by a computer guy I bought the new HD from when my old died), therefore I'm a bit stuck.

However, along with the Google Redirection and the atapi file errors, I am getting Windows Security Alerts telling me that Your Protection is out of date. Therefore, I'm assuming the bugger is still there. This is far out of my hands now, as I've been working on this for over half the day (since 4 AM this morning), with little to no success.

In addition to these errors, my SVCHOST.exe file in Task Manager is using a ton of my CPU. I am, however, based on various other topics, assuming this is due to this virus/trojan/bad thing with my computer.

I apologize if this sounds a bit unorganized. I've been trying to solve this most of the day and haven't slept, so I may be a bit out of it. Please, if something is unclear, ask me to clarify.

My Logs:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 22:47:14.43 on Tue 04/06/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.984 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Owner\My Documents\Downloads\tvkws8j5.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://192.168.0.1/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\documents and settings\owner\start menu\programs\startup\CurseClientStartup.ccip
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - c:\windows\system32\sistray.exe
IE: Copy to Semagic - c:\program files\semagic\copy.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Semagic - c:\program files\semagic\link.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\o1np3b1d.default\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

=============== Created Last 30 ================

2010-04-07 02:02:01 0 d-sha-r- C:\cmdcons
2010-04-07 01:56:42 98816 ----a-w- c:\windows\sed.exe
2010-04-07 01:56:42 77312 ----a-w- c:\windows\MBR.exe
2010-04-07 01:56:42 261632 ----a-w- c:\windows\PEV.exe
2010-04-07 01:56:42 161792 ----a-w- c:\windows\SWREG.exe
2010-04-07 01:56:24 0 d-----w- C:\ComboFix
2010-04-06 21:05:11 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-06 21:04:43 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-06 21:04:43 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2010-04-06 20:18:45 0 d-----w- c:\program files\Safer Networking
2010-04-06 15:45:06 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-06 15:45:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-04-06 12:08:28 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-06 12:08:10 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-06 10:51:09 0 d-----w- c:\program files\Enigma Software Group
2010-04-06 10:36:54 0 d-----w- c:\program files\TrendMicro
2010-04-06 10:23:26 588 ----a-w- C:\Your Protection.lnk
2010-04-06 10:23:26 1494 ----a-w- C:\Your Protection Support.lnk
2010-04-06 10:23:26 0 d-----w- C:\Your Protection
2010-04-06 06:03:25 0 d-----w- c:\program files\SystemRequirementsLab
2010-04-02 06:35:14 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-04-02 06:35:13 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-04-02 06:35:12 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-04-02 06:35:12 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-03-26 05:33:51 0 d-----w- c:\windows\system32\appmgmt
2010-03-25 05:39:57 0 d-----w- c:\program files\Semagic
2010-03-24 08:39:43 59264 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-03-24 08:39:43 59264 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2010-03-24 08:38:09 0 d-----w- c:\program files\Audacity
2010-03-23 17:09:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Blizzard
2010-03-19 06:52:53 56360 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-19 06:06:11 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-03-19 06:06:11 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-03-19 06:04:29 0 d-----w- c:\program files\iPod
2010-03-19 06:04:08 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-03-19 06:04:07 0 d-----w- c:\program files\iTunes
2010-03-19 06:02:48 0 d-----w- c:\program files\Bonjour
2010-03-18 06:41:03 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-03-18 06:41:02 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-03-18 06:41:02 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-03-18 06:41:02 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-03-18 06:41:01 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-03-18 06:41:00 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2010-03-18 06:39:47 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2010-03-18 06:17:38 0 d-----w- c:\windows\Logs
2010-03-18 06:08:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Last.fm
2010-03-18 05:42:39 0 d-----w- c:\program files\Last.fm
2010-03-14 00:40:39 0 d-----w- c:\program files\Ventrilo
2010-03-14 00:40:29 262 ----a-w- c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2010-03-14 00:40:18 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-03-13 06:33:00 69 ----a-w- c:\windows\NeroDigital.ini
2010-03-12 20:21:55 0 d-----w- c:\docume~1\alluse~1\applic~1\AIM
2010-03-12 20:21:48 0 d-----w- c:\program files\common files\Software Update Utility
2010-03-12 20:21:48 0 d-----w- c:\program files\AIM
2010-03-12 20:21:47 0 d-----w- c:\program files\common files\AOL
2010-03-12 20:21:28 425 ---ha-w- C:\IPH.PH
2010-03-12 19:11:59 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-03-12 19:11:59 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-03-12 19:11:41 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-03-12 19:11:41 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-03-12 19:11:37 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-03-12 19:11:37 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-03-12 19:11:27 9600 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-03-12 19:11:27 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-03-12 19:11:16 31616 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-03-12 19:11:16 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-03-12 16:14:41 0 d-----w- c:\program files\common files\Blizzard Entertainment
2010-03-12 16:02:26 0 d-sh--w- c:\documents and settings\owner\UserData
2010-03-12 15:54:16 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-03-12 15:54:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-12 15:54:08 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-12 15:54:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-12 15:54:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-12 15:47:10 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-12 15:41:32 0 d-----w- c:\windows\system32\XPSViewer
2010-03-12 15:40:39 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-03-12 15:40:39 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-03-12 15:40:39 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-03-12 15:40:39 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-03-12 15:40:39 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-03-12 15:40:39 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-03-12 15:40:39 117760 ------w- c:\windows\system32\prntvpt.dll
2010-03-12 15:40:38 0 d-----w- C:\1cb932433ab99b6b549a74e474
2010-03-12 15:37:37 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2010-03-12 15:37:28 0 d-----w- c:\program files\MSXML 6.0
2010-03-12 15:15:41 163353 ----a-w- c:\windows\system32\nvapps.xml
2010-03-12 15:15:40 356352 ----a-w- c:\windows\system32\nvudisp.exe
2010-03-12 15:15:40 17737 ----a-w- c:\windows\system32\nvdisp.nvu
2010-03-12 15:15:40 0 d-----w- c:\windows\nview
2010-03-12 15:15:20 356352 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-03-12 15:15:02 0 d-----w- C:\NVIDIA
2010-03-12 14:12:54 20480 -c--a-w- c:\windows\system32\dllcache\usbuhci.sys
2010-03-12 14:12:54 20480 ----a-w- c:\windows\system32\drivers\usbuhci.sys

==================== Find3M ====================

2010-04-07 01:51:13 95360 ------w- c:\windows\system32\drivers\atapi.sys
2010-03-12 15:14:26 502272 ----a-w- c:\windows\system32\winlogon.exe

============= FINISH: 22:48:22.29 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:43 PM

Posted 10 April 2010 - 04:50 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 arisingprophet

arisingprophet
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 10 April 2010 - 07:12 PM

Thank you for the reply. Here's the files you requested:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 19:18:32.45 on Sat 04/10/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.123 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sistray.exe
C:\Documents and Settings\Owner\Local Settings\Apps\2.0\R3TK2CMY.P66\5DACVDE9.BNH\curs..tion_eee711038731a406_0004.0000_152ef8e82e8f5a48\CurseClient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\Connection Wizard\ICWCONN1.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://192.168.0.1/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\documents and settings\owner\start menu\programs\startup\CurseClientStartup.ccip
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - c:\windows\system32\sistray.exe
IE: Copy to Semagic - c:\program files\semagic\copy.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Semagic - c:\program files\semagic\link.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\o1np3b1d.default\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-4-9 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-4-9 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-4-9 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-4-9 60936]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

=============== Created Last 30 ================

2010-04-09 23:16:12 0 d-----w- c:\windows\system32\NtmsData
2010-04-09 23:15:24 0 d-----w- c:\docume~1\owner\applic~1\Avira
2010-04-09 18:06:47 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-04-09 18:06:46 0 d-----w- c:\program files\Avira
2010-04-09 18:06:46 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-04-09 17:54:40 0 d-----w- c:\program files\CCleaner
2010-04-07 02:02:01 0 d-sha-r- C:\cmdcons
2010-04-07 01:56:42 98816 ----a-w- c:\windows\sed.exe
2010-04-07 01:56:42 77312 ----a-w- c:\windows\MBR.exe
2010-04-07 01:56:42 261632 ----a-w- c:\windows\PEV.exe
2010-04-07 01:56:42 161792 ----a-w- c:\windows\SWREG.exe
2010-04-07 01:56:24 0 d-----w- C:\ComboFix
2010-04-06 21:05:11 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-06 21:04:43 0 d-----w- c:\program files\SUPERAntiSpyware
2010-04-06 21:04:43 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2010-04-06 20:18:45 0 d-----w- c:\program files\Safer Networking
2010-04-06 15:45:06 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-06 15:45:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-04-06 12:08:28 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-06 12:08:10 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-06 10:51:09 0 d-----w- c:\program files\Enigma Software Group
2010-04-06 10:36:54 0 d-----w- c:\program files\TrendMicro
2010-04-06 06:03:25 0 d-----w- c:\program files\SystemRequirementsLab
2010-04-02 06:35:14 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-04-02 06:35:13 159232 ----a-w- c:\windows\system32\ptpusd.dll
2010-04-02 06:35:12 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-04-02 06:35:12 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-03-26 05:33:51 0 d-----w- c:\windows\system32\appmgmt
2010-03-25 05:39:57 0 d-----w- c:\program files\Semagic
2010-03-24 08:39:43 59264 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-03-24 08:39:43 59264 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2010-03-24 08:38:09 0 d-----w- c:\program files\Audacity
2010-03-23 17:09:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Blizzard
2010-03-19 06:52:53 56360 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-19 06:06:11 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-03-19 06:06:11 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-03-19 06:04:29 0 d-----w- c:\program files\iPod
2010-03-19 06:04:08 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-03-19 06:04:07 0 d-----w- c:\program files\iTunes
2010-03-19 06:02:48 0 d-----w- c:\program files\Bonjour
2010-03-18 06:41:03 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-03-18 06:41:02 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-03-18 06:41:02 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-03-18 06:41:02 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-03-18 06:41:01 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-03-18 06:41:00 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2010-03-18 06:39:47 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2010-03-18 06:17:38 0 d-----w- c:\windows\Logs
2010-03-18 06:08:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Last.fm
2010-03-18 05:42:39 0 d-----w- c:\program files\Last.fm
2010-03-14 00:40:39 0 d-----w- c:\program files\Ventrilo
2010-03-14 00:40:29 262 ----a-w- c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2010-03-14 00:40:18 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-03-13 06:33:00 69 ----a-w- c:\windows\NeroDigital.ini
2010-03-12 20:21:55 0 d-----w- c:\docume~1\alluse~1\applic~1\AIM
2010-03-12 20:21:48 0 d-----w- c:\program files\common files\Software Update Utility
2010-03-12 20:21:48 0 d-----w- c:\program files\AIM
2010-03-12 20:21:47 0 d-----w- c:\program files\common files\AOL
2010-03-12 20:21:28 425 ---ha-w- C:\IPH.PH
2010-03-12 19:11:59 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-03-12 19:11:59 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-03-12 19:11:41 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-03-12 19:11:41 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-03-12 19:11:37 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-03-12 19:11:37 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-03-12 19:11:27 9600 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-03-12 19:11:27 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-03-12 19:11:16 31616 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-03-12 19:11:16 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-03-12 16:14:41 0 d-----w- c:\program files\common files\Blizzard Entertainment
2010-03-12 16:02:26 0 d-sh--w- c:\documents and settings\owner\UserData
2010-03-12 15:54:16 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-03-12 15:54:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-12 15:54:08 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-12 15:54:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-12 15:54:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-12 15:47:10 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-12 15:41:32 0 d-----w- c:\windows\system32\XPSViewer
2010-03-12 15:40:39 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-03-12 15:40:39 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-03-12 15:40:39 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-03-12 15:40:39 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-03-12 15:40:39 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-03-12 15:40:39 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-03-12 15:40:39 117760 ------w- c:\windows\system32\prntvpt.dll
2010-03-12 15:40:38 0 d-----w- C:\1cb932433ab99b6b549a74e474
2010-03-12 15:37:37 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2010-03-12 15:37:28 0 d-----w- c:\program files\MSXML 6.0
2010-03-12 15:15:41 163353 ----a-w- c:\windows\system32\nvapps.xml
2010-03-12 15:15:40 356352 ----a-w- c:\windows\system32\nvudisp.exe
2010-03-12 15:15:40 17737 ----a-w- c:\windows\system32\nvdisp.nvu
2010-03-12 15:15:40 0 d-----w- c:\windows\nview
2010-03-12 15:15:20 356352 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-03-12 15:15:02 0 d-----w- C:\NVIDIA
2010-03-12 14:12:54 20480 -c--a-w- c:\windows\system32\dllcache\usbuhci.sys
2010-03-12 14:12:54 20480 ----a-w- c:\windows\system32\drivers\usbuhci.sys

==================== Find3M ====================

2010-04-10 01:05:30 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-08 10:12:44 359040 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-03-12 15:14:26 502272 ----a-w- c:\windows\system32\winlogon.exe

============= FINISH: 19:20:20.77 ===============



And GMER:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-10 19:52:03
Windows 5.1.2600 Service Pack 2
Running: 205sbk2g.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kwgyyaoc.sys


---- System - GMER 1.0.15 ----

SSDT BAFEDCEE ZwCreateKey
SSDT BAFEDCE4 ZwCreateThread
SSDT BAFEDCF3 ZwDeleteKey
SSDT BAFEDCFD ZwDeleteValueKey
SSDT BAFEDD02 ZwLoadKey
SSDT BAFEDCD0 ZwOpenProcess
SSDT BAFEDCD5 ZwOpenThread
SSDT BAFEDD0C ZwReplaceKey
SSDT BAFEDD07 ZwRestoreKey
SSDT BAFEDCF8 ZwSetValueKey
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB6B97320]

---- Kernel code sections - GMER 1.0.15 ----

? klmdb.sys The system cannot find the file specified. !
? tsk5.tmp The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB9E8E380, 0x346307, 0xE8000020]
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB9DC1900]
.rsrc C:\WINDOWS\system32\DRIVERS\tcpip.sys entry point in ".rsrc" section [0xB6C95114]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[112] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00B8000A
.text C:\WINDOWS\Explorer.EXE[112] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 00B9000A
.text C:\WINDOWS\Explorer.EXE[112] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 00B7000C
.text C:\WINDOWS\System32\svchost.exe[1084] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 008E000A
.text C:\WINDOWS\System32\svchost.exe[1084] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 008F000A
.text C:\WINDOWS\System32\svchost.exe[1084] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 008D000C
.text C:\WINDOWS\System32\svchost.exe[1084] USER32.dll!GetCursorPos 77D4C566 5 Bytes JMP 0085000A
.text C:\WINDOWS\System32\svchost.exe[1084] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 0084000A

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdePort0 tsk5.tmp
Device \Driver\atapi \Device\Ide\IdePort1 tsk5.tmp
Device \Driver\atapi \Device\Ide\IdePort2 tsk5.tmp
Device \Driver\atapi \Device\Ide\IdePort3 tsk5.tmp
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-1b tsk5.tmp
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-13 tsk5.tmp

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 89196AC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\tcpip.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


Symptoms/Problems:
Cannot access Safemode.
Cannot access Windows Firewall.
Google searches, in Chrome, Firefox, and IE, redirect to random page upon clicking link straight from the search. Copying URL and pasting it is fine.
Random sites open in Firefox (I did not test the other browsers - it's about once every two hours)
Sluggish, svchost file in Task Manager will randomly start using 100% CPU, which I need to restart.
Windows Securty Center is now reporting 'AntiVir Desktop' is installed. No idea what this is. (EDIT: Just as I posted this, I realize this was Avira. Oops!)
Random 'memory could not be read' errors, along with the corresponding blue screen error (memory could not be read).
Windows Login, upon start up, is taking FOREVER. Five or so minutes, atleast. It used to take maybe one, two max.


Tried and Failed:
MBAM - once I finally got it to work with the intial Your Protection virus, it found a load of stuff. Removed it all.
Spybot - Found a bunch as well. Fixed.
SUPERAntiSpyware - found a bunch of trojans and what not. Fixed it.
HiJackThis! - Went through, and according to a web page (I am not sure what page, but it is one of the first to come up for 'Your Protection' virus), closed out what programs that were related to Your Protection.

At this point, I realized my browser was hijacked, and I was locked out of safe modes as well as Firewalls. So, I googled a bit, found a few posts exactly like mine, and did the following:
ComboFix
RKill
TDSS Killer
CCleaner
CWShredder
Avira AntiVirus

Now, upon logging in, I get errors about 'winlogon.exe'. Avira's Guard is constantly alerting me to Malware found (about every thirty minutes, give or take), and I click remove, with seemingly no effect. Full scans, at this point in time, show nothing other than various tracking cookies.

I've read that a reformat is probably my safest bet, but the problem is, I do not have a CD. The OS was put on this system by the guy that built/rebuilt my computer (a shoppe, actually), and his shop is closed until Monday. I'm still under warranty with him (I got this upgraded system less than thirty days ago), so I may be able to get him to reformat the main drive. I'm hoping he'll do it for free and/or cheap since I'm still under warranty.

Anyway, that's all that was asked, I think. One last question to go with it (Sorry!) - if I format the main drive (the one with the OS), what should I do about my slave drive? I figured I should just start the main drive in safe mode and scan the slave drive, but I wanted to be sure.

Upon bringing the computer out of stand by, I get 'Windows has detected an error and needs to shut down.'

EDIT: Sorry, my grammar was horrid, and I was trying to fix it.

Edited by arisingprophet, 11 April 2010 - 10:52 AM.


#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:43 PM

Posted 11 April 2010 - 02:56 PM

Hello, arisingprophet
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.




Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    tcpip*

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 arisingprophet

arisingprophet
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 11 April 2010 - 03:40 PM

Done!

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 16:38 on 11/04/2010 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "tcpip*"
C:\Program Files\Spybot - Search & Destroy\Plugins\TCPIPAddress.dll --a--- 121344 bytes [15:45 06/04/2010] [05:05 24/12/2007] E5E95EDC3546821AE025D4A4726986C0
C:\Qoobox\Quarantine\Registry_backups\tcpip.reg --a--- 6430 bytes [02:07 07/04/2010] [02:07 07/04/2010] AC7E78DD0550D0FA18044B8932CD6754
C:\WINDOWS\ERDNT\cache\tcpip.sys --a--- 359040 bytes [02:10 07/04/2010] [11:00 04/08/2004] 9F4B36614A0FC234525BA224957DE55C
C:\WINDOWS\Help\tcpip.chm --a--- 50586 bytes [11:00 04/08/2004] [11:00 04/08/2004] 24FC18A9ED0AA561C5F5DC295F9AA9F2
C:\WINDOWS\system32\dllcache\tcpip.sys --a--c 359040 bytes [11:00 04/08/2004] [12:31 11/04/2010] 9F4B36614A0FC234525BA224957DE55C
C:\WINDOWS\system32\dllcache\tcpip6.sys --a--c 223616 bytes [11:00 04/08/2004] [11:00 04/08/2004] 4D58BB1AE8841AAFD8790AD7E1E3B8EA
C:\WINDOWS\system32\drivers\tcpip.sys --a--- 359040 bytes [11:00 04/08/2004] [12:31 11/04/2010] 9F4B36614A0FC234525BA224957DE55C
C:\WINDOWS\system32\drivers\tcpip6.sys --a--- 223616 bytes [11:00 04/08/2004] [11:00 04/08/2004] 4D58BB1AE8841AAFD8790AD7E1E3B8EA

-=End Of File=-

During this, should I turn off Avira's Guard and Spybot's TeaTimer?

#6 arisingprophet

arisingprophet
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 12 April 2010 - 11:48 AM

I am doing this the easy way and taking my computer in to be formatted.

I cannot format my slave drive at this time (I have no where to put all my files), so I was wondering what I should do about it other than scan it when I get my computer back.

#7 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:43 PM

Posted 13 April 2010 - 12:56 PM

The slave drive should be ok, no file infecting virus to see. Just scan the complete system with your av program smile.gif.

Edited by schrauber, 13 April 2010 - 12:56 PM.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:43 PM

Posted 18 April 2010 - 09:52 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. smile.gif

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users