Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ave.exe infection, svchost.exe/browser hijacked, more


  • This topic is locked This topic is locked
16 replies to this topic

#1 TDhonnhok

TDhonnhok

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 16 April 2010 - 07:35 AM

About a week and a half ago, I got infected with something called Windows Security 2010. When I would boot up my PC I'd get prompted with all sorts of odd admin limitations saying "You cannot open this file. Please contact your admin..." and I am the only person/admin to use this PC. Furthermore, my browser gets redirected at times whenever I click on a link to different web search engines and ads for virus/spyware/malware/registry protection.

I attempted to fix the issue before coming to these forums and discovered that MalwareBytes tried to get rid of several files, but it seems like Ave.exe is the culprit that keeps coming back. I'm unsure if this is the true root of the problem though.

I've found that once I log into windows for the first time after booting my PC there is one svchost.exe process among 5-7 or so that eats up a ton of resources. I watched the process and its resource consumption gradually rose from 3k to 5k to 12k to 30k all the way up to 150k+. When I would kill the process, another would come back shortly and then another after that one was killed. After a while, my 'sound mixer' was disabled or unrecognizable and my explorer bar reverted to the older windows 98 style instead of the skinned XP style. However, if these processes are killed I do not receive the popups and ads for Windows Security or Windows Antispyware 2010.

To recap, the main issues are:

-hijacked browser
-svchost.exe process creating unusual lag
-explorer bar errors
-admin rights being disabled for some items
-sound working improperly after a while of being logged into windows
-annoying popups and fake alerts from Windows Security 2010
-unable to access Windows Update; "cannot connect to server"

I had to attach the GMER log rather than put it in the body due to an error I kept getting when trying to make the initial post. Furthermore, the second half of the ark.txt had to be posted as a reply due to upload file size limitations.

Many thanks in advance!

Edited by TDhonnhok, 16 April 2010 - 07:29 PM.


BC AdBot (Login to Remove)

 


#2 TDhonnhok

TDhonnhok
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 16 April 2010 - 07:18 PM

[MANUAL] ati2mtag
Service Atierecord
Service C:\WINDOWS\system32\DRIVERS\atmarpc.sys (IP/ATM Arp Client/Microsoft Corporation) [MANUAL] Atmarpc
Service C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] AudioSrv
Service C:\WINDOWS\system32\DRIVERS\audstub.sys (AudStub Driver/Microsoft Corporation) [MANUAL] audstub
Service BattC
Service (BEEP Driver/Microsoft Corporation) [SYSTEM] Beep
Service C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] BITS
Service C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] Browser
Service C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys [MANUAL] catchme
Service (CardBus/PCMCIA IDE Miniport Driver/Microsoft Corporation) [DISABLED] cbidf2k
Service [DISABLED] cd20xrnt
Service (CD-ROM Audio Filter Driver/Microsoft Corporation) [SYSTEM] Cdaudio
Service (CD-ROM File System Driver/Microsoft Corporation) [DISABLED] Cdfs
Service C:\WINDOWS\system32\DRIVERS\cdrom.sys (SCSI CD-ROM Driver/Microsoft Corporation) [SYSTEM] Cdrom
Service (DELL CERC SATA1.5/6ch Miniport Driver/Adaptec, Inc.) [BOOT] cercsr6
Service [SYSTEM] Changer
Service C:\WINDOWS\system32\cisvc.exe (Content Index service/Microsoft Corporation) [MANUAL] CiSvc
Service C:\WINDOWS\system32\clipsrv.exe (Windows NT DDE Server/Microsoft Corporation) [MANUAL] ClipSrv
Service C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (.NET Runtime Optimization Service/Microsoft Corporation) [MANUAL] clr_optimization_v2.0.50727_32
Service [DISABLED] CmdIde
Service C:\WINDOWS\system32\dllhost.exe (COM Surrogate/Microsoft Corporation) [MANUAL] COMSysApp
Service ContentFilter
Service ContentIndex
Service [DISABLED] Cpqarray
Service C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] CryptSvc
Service [DISABLED] dac2w2k
Service [DISABLED] dac960nt
Service C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] DcomLaunch
Service C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] Dhcp
Service C:\WINDOWS\system32\DRIVERS\disk.sys (PnP Disk Driver/Microsoft Corporation) [BOOT] Disk
Service C:\WINDOWS\System32\dmadmin.exe (Logical Disk Manager service process/Microsoft Corp., Veritas Software) [MANUAL] dmadmin
Service C:\WINDOWS\System32\drivers\dmboot.sys (NT Disk Manager Startup Driver/Microsoft Corp., Veritas Software) [DISABLED] dmboot
Service C:\WINDOWS\system32\DRIVERS\dmio.sys (NT Disk Manager I/O Driver/Microsoft Corp., Veritas Software) [BOOT] dmio
Service (NT Disk Manager Startup Driver/Microsoft Corp., Veritas Software.) [BOOT] dmload
Service C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] dmserver
Service C:\WINDOWS\system32\drivers\DMusic.sys (Microsoft Kernel DLS Synthesizer/Microsoft Corporation) [MANUAL] DMusic
Service C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] Dnscache
Service [DISABLED] dpti2o
Service System32\drivers\dqr6ed8.sys [BOOT] dqr6ed8
Service C:\WINDOWS\system32\drivers\drmkaud.sys (Microsoft Kernel DRM Audio Descrambler Filter/Microsoft Corporation) [MANUAL] drmkaud
Service C:\WINDOWS\system32\DRIVERS\e100b325.sys (Intel® PRO/100 Adapter NDIS 5.1 driver/Intel Corporation) [MANUAL] E100B
Service C:\WINDOWS\eHome\ehRecvr.exe (Media Center Receiver Service/Microsoft Corporation) [AUTO] ehRecvr
Service C:\WINDOWS\eHome\ehSched.exe (Media Center Scheduler Service/Microsoft Corporation) [AUTO] ehSched
Service C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] ERSvc
Service C:\WINDOWS\system32\services.exe (Services and Controller app/Microsoft Corporation) [AUTO] Eventlog
Service C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [MANUAL] EventSystem
Service (Fast FAT File System Driver/Microsoft Corporation) [DISABLED] Fastfat
Service C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [MANUAL] FastUserSwitchingCompatibility
Service C:\WINDOWS\system32\DRIVERS\fdc.sys (Floppy Disk Controller Driver/Microsoft Corporation) [MANUAL] Fdc
Service (FIPS Crypto Driver/Microsoft Corporation) [SYSTEM] Fips
Service C:\WINDOWS\system32\DRIVERS\flpydisk.sys (Floppy Driver/Microsoft Corporation) [MANUAL] Flpydisk
Service C:\WINDOWS\system32\DRIVERS\fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) [BOOT] FltMgr
Service C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (Windows Presentation Foundation Font Cache Service/Microsoft Corporation) [MANUAL] FontCache3.0.0.0
Service (File System Recognizer Driver/Microsoft Corporation) [SYSTEM] Fs_Rec
Service C:\WINDOWS\system32\DRIVERS\ftdisk.sys (FT Disk Driver/Microsoft Corporation) [BOOT] Ftdisk
Service C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [MANUAL] getPlusHelper
Service C:\WINDOWS\system32\DRIVERS\msgpc.sys (MS General Packet Classifier/Microsoft Corporation) [MANUAL] Gpc
Service C:\WINDOWS\system32\DRIVERS\HDAudBus.sys (High Definition Audio Bus Driver v1.0/Windows ® Server 2003 DDK provider) [MANUAL] HDAudBus
Service C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] helpsvc
Service C:\WINDOWS\system32\DRIVERS\hidir.sys (Infrared Miniport Driver for Input Devices/Microsoft Corporation) [MANUAL] HidIr
Service C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] HidServ
Service C:\WINDOWS\system32\DRIVERS\hidusb.sys (USB Miniport Driver for Input Devices/Microsoft Corporation) [MANUAL] hidusb
Service [DISABLED] hpn
Service C:\WINDOWS\System32\Drivers\HTTP.sys (HTTP Protocol Stack/Microsoft Corporation) [MANUAL] HTTP
Service C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [MANUAL] HTTPFilter
Service [SYSTEM] i2omgmt
Service [DISABLED] i2omp
Service (i8042 Port Driver/Microsoft Corporation) [SYSTEM] i8042prt
Service iastor
Service C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (IDriverT Module/Macrovision Corporation) [MANUAL] IDriverT
Service C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Windows CardSpace/Microsoft Corporation) [MANUAL] idsvc
Service C:\WINDOWS\system32\DRIVERS\imapi.sys (IMAPI Kernel Driver/Microsoft Corporation) [SYSTEM] Imapi
Service C:\WINDOWS\system32\imapi.exe (Image Mastering API/Microsoft Corporation) [MANUAL] ImapiService
Service inetaccs
Service [DISABLED] ini910u
Service Inport
Service C:\WINDOWS\system32\DRIVERS\IntelC51.sys (Modem DSP Driver/Intel Corporation) [MANUAL] IntelC51
Service C:\WINDOWS\system32\DRIVERS\IntelC52.sys (Modem CP Driver/Intel Corporation) [MANUAL] IntelC52
Service C:\WINDOWS\system32\DRIVERS\IntelC53.sys (Modem AFE Driver/Intel Corporation) [MANUAL] IntelC53
Service [DISABLED] IntelIde
Service C:\WINDOWS\system32\DRIVERS\intelppm.sys (Processor Device Driver/Microsoft Corporation) [SYSTEM] intelppm
Service system32\DRIVERS\Ip6Fw.sys [MANUAL] Ip6Fw
Service C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys (IP FILTER DRIVER/Microsoft Corporation) [MANUAL] IpFilterDriver
Service C:\WINDOWS\system32\DRIVERS\ipinip.sys (IP in IP Encapsulation Driver/Microsoft Corporation) [MANUAL] IpInIp
Service C:\WINDOWS\system32\DRIVERS\ipnat.sys (IP Network Address Translator/Microsoft Corporation) [MANUAL] IpNat
Service C:\WINDOWS\system32\DRIVERS\ipsec.sys (IPSec Driver/Microsoft Corporation) [SYSTEM] IPSec
Service C:\WINDOWS\system32\DRIVERS\IrBus.sys (USB Consumer IR Driver for eHome/Microsoft Corporation) [MANUAL] IrBus
Service C:\WINDOWS\system32\DRIVERS\irenum.sys (Infra-Red Bus Enumerator/Microsoft Corporation) [MANUAL] IRENUM
Service ISAPISearch
Service C:\WINDOWS\system32\DRIVERS\isapnp.sys (PNP ISA Bus Driver/Microsoft Corporation) [BOOT] isapnp
Service C:\Program Files\Java\jre6\bin\jqs.exe (Java™ Quick Starter Service/Sun Microsystems, Inc.) [AUTO] JavaQuickStarterService
Service C:\WINDOWS\system32\DRIVERS\kbdclass.sys (Keyboard Class Driver/Microsoft Corporation) [SYSTEM] Kbdclass
Service C:\WINDOWS\system32\DRIVERS\kbdhid.sys (HID Mouse Filter Driver/Microsoft Corporation) [SYSTEM] kbdhid
Service C:\WINDOWS\system32\drivers\kmixer.sys (Kernel Mode Audio Mixer/Microsoft Corporation) [MANUAL] kmixer
Service (Kernel Security Support Provider Interface/Microsoft Corporation) [BOOT] KSecDD
Service C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] lanmanserver
Service C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] lanmanworkstation
Service C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Ad-Aware Service Application/Lavasoft) [AUTO] Lavasoft Ad-Aware Service
Service C:\WINDOWS\system32\DRIVERS\Lbd.sys (Boot Driver/Lavasoft AB) [BOOT] Lbd
Service [SYSTEM] lbrtfdc
Service ldap
Service C:\WINDOWS\system32\DRIVERS\LHidKE.Sys (Logitech HID Filter Driver./Logitech, Inc.) [MANUAL] LHidKe
Service C:\WINDOWS\System32\Drivers\LHidUsbK.Sys (Logitech USB Mouse Function Driver./Logitech, Inc.) [MANUAL] LHidUsbK
Service LicenseService
Service C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] LmHosts
Service C:\WINDOWS\system32\DRIVERS\LMouKE.Sys (Logitech Filter Driver for Mouse Class./Logitech, Inc.) [MANUAL] LMouKE
Service C:\WINDOWS\ehome\mcrdsvc.exe (MCRD Device Service/Microsoft Corporation) [AUTO] McrdSvc
Service C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [DISABLED] Messenger
Service C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [MANUAL] MHN
Service C:\WINDOWS\system32\DRIVERS\mhndrv.sys (Microsoft Multimedia Home Network (MHN) Support Driver/Microsoft Corporation) [MANUAL] MHNDRV
Service (Frame buffer simulator/Microsoft Corporation) [SYSTEM] mnmdd
Service C:\WINDOWS\system32\mnmsrvc.exe (NetMeeting Remote Desktop Sharing/Microsoft Corporation) [MANUAL] mnmsrvc
Service (Modem Device Driver/Microsoft Corporation) [MANUAL] Modem
Service C:\WINDOWS\system32\drivers\MODEMCSA.sys (Unimodem CSA Filter/Microsoft Corporation) [MANUAL] MODEMCSA
Service C:\WINDOWS\system32\DRIVERS\mohfilt.sys (Filter Driver to Support Modem-on-Hold/Intel Corporation) [MANUAL] mohfilt
Service C:\WINDOWS\system32\DRIVERS\mouclass.sys (Mouse Class Driver/Microsoft Corporation) [SYSTEM] Mouclass
Service C:\WINDOWS\system32\DRIVERS\mouhid.sys (HID Mouse Filter Driver/Microsoft Corporation) [MANUAL] mouhid
Service (Mount Manager/Microsoft Corporation) [BOOT] MountMgr
Service [DISABLED] mraid35x
Service C:\WINDOWS\system32\DRIVERS\mrxdav.sys (Windows NT WebDav Minirdr/Microsoft Corporation) [MANUAL] MRxDAV
Service C:\WINDOWS\system32\DRIVERS\mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation) [SYSTEM] MRxSmb
Service C:\WINDOWS\system32\msdtc.exe (MS DTC console program/Microsoft Corporation) [MANUAL] MSDTC
Service MSDTC Bridge 3.0.0.0
Service (Mailslot driver/Microsoft Corporation) [SYSTEM] Msfs
Service C:\WINDOWS\system32\msiexec.exe (Windows® installer/Microsoft Corporation) [MANUAL] MSIServer
Service C:\WINDOWS\system32\drivers\MSKSSRV.sys (MS KS Server/Microsoft Corporation) [MANUAL] MSKSSRV
Service C:\WINDOWS\system32\drivers\MSPCLOCK.sys (MS Proxy Clock/Microsoft Corporation) [MANUAL] MSPCLOCK
Service C:\WINDOWS\system32\drivers\MSPQM.sys (MS Proxy Quality Manager/Microsoft Corporation) [MANUAL] MSPQM
Service C:\WINDOWS\system32\DRIVERS\mssmbios.sys (System Management BIOS Driver/Microsoft Corporation) [MANUAL] mssmbios
Service (Multiple UNC Provider driver/Microsoft Corporation) [BOOT] Mup
Service (NDIS 5.1 wrapper driver/Microsoft Corporation) [BOOT] NDIS
Service C:\WINDOWS\system32\DRIVERS\ndistapi.sys (NDIS 3.0 connection wrapper driver/Microsoft Corporation) [MANUAL] NdisTapi
Service C:\WINDOWS\system32\DRIVERS\ndisuio.sys (NDIS User mode I/O Driver/Microsoft Corporation) [MANUAL] Ndisuio
Service C:\WINDOWS\system32\DRIVERS\ndiswan.sys (MS PPP Framing Driver (Strong Encryption)/Microsoft Corporation) [MANUAL] NdisWan
Service (NDIS Proxy/Microsoft Corporation) [MANUAL] NDProxy
Service C:\WINDOWS\system32\DRIVERS\netbios.sys (NetBIOS interface driver/Microsoft Corporation) [SYSTEM] NetBIOS
Service C:\WINDOWS\system32\DRIVERS\netbt.sys (MBT Transport driver/Microsoft Corporation) [SYSTEM] NetBT
Service C:\WINDOWS\system32\netdde.exe (Network DDE - DDE Communication/Microsoft Corporation) [DISABLED] NetDDE
Service C:\WINDOWS\system32\netdde.exe (Network DDE - DDE Communication/Microsoft Corporation) [DISABLED] NetDDEdsdm
Service C:\WINDOWS\system32\lsass.exe (LSA Shell (Export Version)/Microsoft Corporation) [MANUAL] Netlogon
Service C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [MANUAL] Netman
Service C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (SMSvcHost.exe/Microsoft Corporation) [DISABLED] NetTcpPortSharing
Service C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [MANUAL] Nla
Service C:\WINDOWS\system32\DRIVERS\NMnt.sys (Netmon NT Driver/Microsoft Corporation) [MANUAL] nm
Service (NPFS Driver/Microsoft Corporation) [SYSTEM] Npfs
Service (NT File System Driver/Microsoft Corporation) [DISABLED] Ntfs
Service C:\WINDOWS\system32\lsass.exe (LSA Shell (Export Version)/Microsoft Corporation) [MANUAL] NtLmSsp
Service C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [MANUAL] NtmsSvc
Service (NULL Driver/Microsoft Corporation) [SYSTEM] Null
Service C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys (NWLINK2 Traffic Filter Driver/Microsoft Corporation) [MANUAL] NwlnkFlt
Service C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys (NWLINK2 Forwarder Driver/Microsoft Corporation) [MANUAL] NwlnkFwd
Service C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Office Source Engine/Microsoft Corporation) [MANUAL] ose
Service (Parallel Port Driver/Microsoft Corporation) [MANUAL] Parport
Service (Partition Manager/Microsoft Corporation) [BOOT] PartMgr
Service (VDM Parallel Driver/Microsoft Corporation) [AUTO] ParVdm
Service C:\WINDOWS\system32\DRIVERS\pci.sys (NT Plug and Play PCI Enumerator/Microsoft Corporation) [BOOT] PCI
Service [SYSTEM] PCIDump
Service C:\WINDOWS\system32\DRIVERS\pciide.sys (Generic PCI IDE Bus Driver/Microsoft Corporation) [BOOT] PCIIde
Service (PCMCIA Bus Driver/Microsoft Corporation) [DISABLED] Pcmcia
Service [MANUAL] PDCOMP
Service [MANUAL] PDFRAME
Service [MANUAL] PDRELI
Service [MANUAL] PDRFRAME
Service [DISABLED] perc2
Service [DISABLED] perc2hib
Service PerfDisk
Service PerfNet
Service PerfOS
Service PerfProc
Service C:\WINDOWS\system32\services.exe (Services and Controller app/Microsoft Corporation) [AUTO] PlugPlay
Service C:\WINDOWS\system32\lsass.exe (LSA Shell (Export Version)/Microsoft Corporation) [AUTO] PolicyAgent
Service C:\WINDOWS\system32\DRIVERS\raspptp.sys (Peer-to-Peer Tunneling Protocol/Microsoft Corporation) [MANUAL] PptpMiniport
Service C:\WINDOWS\system32\lsass.exe (LSA Shell (Export Version)/Microsoft Corporation) [AUTO] ProtectedStorage
Service C:\WINDOWS\system32\DRIVERS\psched.sys (MS QoS Packet Scheduler/Microsoft Corporation) [MANUAL] PSched
Service C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies DirectParallel IO Library/Parallel Technologies, Inc.) [MANUAL] Ptilink
Service C:\WINDOWS\System32\Drivers\PxHelp20.sys (Px Engine Device Driver for Windows 2000/XP/Sonic Solutions) [BOOT] PxHelp20
Service [DISABLED] ql1080
Service [DISABLED] Ql10wnt
Service [DISABLED] ql12160
Service [DISABLED] ql1240
Service [DISABLED] ql1280
Service C:\WINDOWS\system32\DRIVERS\rasacd.sys (RAS Automatic Connection Driver/Microsoft Corporation) [SYSTEM] RasAcd
Service C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [MANUAL] RasAuto
Service C:\WINDOWS\system32\DRIVERS\rasl2tp.sys (RAS L2TP mini-port/call-manager driver/Microsoft Corporation) [MANUAL] Rasl2tp
Service C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [MANUAL] RasMan
Service C:\WINDOWS\system32\DRIVERS\raspppoe.sys (RAS PPPoE mini-port/call-manager driver/Microsoft Corporation) [MANUAL] RasPppoe
Service C:\WINDOWS\system32\DRIVERS\raspti.sys (PTI DirectParallel® mini-port/call-manager driver/Microsoft Corporation) [MANUAL] Raspti
Service C:\WINDOWS\system32\DRIVERS\rdbss.sys (Redirected Drive Buffering SubSystem Driver/Microsoft Corporation) [SYSTEM] Rdbss
Service C:\WINDOWS\System32\DRIVERS\RDPCDD.sys (RDP Miniport/Microsoft Corporation) [SYSTEM] RDPCDD
Service RDPDD
Service C:\WINDOWS\system32\DRIVERS\rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation) [MANUAL] rdpdr
Service RDPNP
Service (RDP Terminal Stack Driver (US/Canada Only, Not for Export)/Microsoft Corporation) [MANUAL] RDPWD
Service C:\WINDOWS\system32\sessmgr.exe (Microsoft® Remote Desktop Help Session Manager/Microsoft Corporation) [MANUAL] RDSessMgr
Service C:\WINDOWS\system32\DRIVERS\redbook.sys (Redbook Audio Filter Driver/Microsoft Corporation) [SYSTEM] redbook
Service C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [DISABLED] RemoteAccess
Service C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] RemoteRegistry
Service C:\Program Files\CyberLink\Shared Files\RichVideo.exe [AUTO] RichVideo
Service C:\Program Files\WinPcap\rpcapd.exe [MANUAL] rpcapd
Service C:\WINDOWS\system32\locator.exe (Rpc Locator/Microsoft Corporation) [MANUAL] RpcLocator
Service C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] RpcSs
Service C:\WINDOWS\system32\rsvp.exe (Microsoft RSVP/Microsoft Corporation) [MANUAL] RSVP
Service C:\WINDOWS\system32\DRIVERS\RzSynapse.sys (Razer Synapse Engine/Razer USA Ltd) [MANUAL] RzSynapse
Service C:\WINDOWS\system32\lsass.exe (LSA Shell (Export Version)/Microsoft Corporation) [AUTO] SamSs
Service C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS (SASDIFSV.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) [SYSTEM] SASDIFSV
Service C:\Program Files\SUPERAntiSpyware\SASENUM.SYS (SASENUM.SYS/ SUPERAdBlocker.com and SUPERAntiSpyware.com) [MANUAL] SASENUM
Service C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) [SYSTEM] SASKUTIL
Service C:\WINDOWS\System32\SCardSvr.exe (Smart Card Resource Management Server/Microsoft Corporation) [MANUAL] SCardSvr
Service C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] Schedule
Service C:\WINDOWS\system32\DRIVERS\secdrv.sys [MANUAL] Secdrv
Service C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] seclogon
Service C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] SENS
Service (Serial Device Driver/Microsoft Corporation) [AUTO] Serial
Service ServiceModelEndpoint 3.0.0.0
Service ServiceModelOperation 3.0.0.0
Service ServiceModelService 3.0.0.0
Service (SCSI Floppy Driver/Microsoft Corporation) [SYSTEM] Sfloppy
Service C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [DISABLED] SharedAccess
Service C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] ShellHWDetection
Service [DISABLED] Simbad
Service SMSvcHost 3.0.0.0
Service [DISABLED] Sparrow
Service C:\WINDOWS\system32\drivers\splitter.sys (Microsoft Kernel Audio Splitter/Microsoft Corporation) [MANUAL] splitter
Service C:\WINDOWS\system32\spoolsv.exe (Spooler SubSystem App/Microsoft Corporation) [AUTO] Spooler
Service C:\WINDOWS\system32\DRIVERS\sr.sys (System Restore Filesystem Filter Driver/Microsoft Corporation) [BOOT] sr
Service C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] srservice
Service C:\WINDOWS\system32\DRIVERS\srv.sys (Server driver/Microsoft Corporation) [MANUAL] Srv
Service C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] SSDPSRV
Service C:\WINDOWS\system32\drivers\sthda.sys (DELLRC/SigmaTel, Inc.) [MANUAL] STHDA
Service C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] stisvc
Service C:\WINDOWS\system32\DRIVERS\swenum.sys (Plug and Play Software Device Enumerator/Microsoft Corporation) [MANUAL] swenum
Service C:\WINDOWS\system32\drivers\swmidi.sys (Microsoft GS Wavetable Synthesizer/Microsoft Corporation) [MANUAL] swmidi
Service C:\WINDOWS\system32\dllhost.exe (COM Surrogate/Microsoft Corporation) [MANUAL] SwPrv
Service [DISABLED] symc810
Service [DISABLED] symc8xx
Service [DISABLED] sym_hi
Service [DISABLED] sym_u3
Service C:\WINDOWS\system32\drivers\sysaudio.sys (System Audio WDM Filter/Microsoft Corporation) [MANUAL] sysaudio
Service C:\WINDOWS\system32\smlogsvc.exe (Performance Logs and Alerts Service/Microsoft Corporation) [MANUAL] SysmonLog
Service C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [MANUAL] TapiSrv
Service C:\WINDOWS\system32\DRIVERS\tcpip.sys (TCP/IP Protocol Driver/Microsoft Corporation) [SYSTEM] Tcpip
Service (Named Pipe Transport Driver/Microsoft Corporation) [MANUAL] TDPIPE
Service (TCP Transport Driver/Microsoft Corporation) [MANUAL] TDTCP
Service C:\WINDOWS\system32\DRIVERS\termdd.sys (Terminal Server Driver/Microsoft Corporation) [SYSTEM] TermDD
Service C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [MANUAL] TermService
Service C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] Themes
Service C:\WINDOWS\system32\tlntsvr.exe (Telnet/Microsoft Corporation) [MANUAL] TlntSvr
Service C:\WINDOWS\system32\drivers\tmcomm.sys (TrendMicro Common Module/Trend Micro Inc.) [AUTO] tmcomm
Service [DISABLED] TosIde
Service C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] TrkWks
Service TSDDD
Service (UDF File System Driver/Microsoft Corporation) [DISABLED] Udfs
Service [DISABLED] ultra
Service C:\WINDOWS\system32\DRIVERS\update.sys (Update Driver/Microsoft Corporation) [MANUAL] Update
Service C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [MANUAL] upnphost
Service C:\WINDOWS\System32\ups.exe (UPS Service/Microsoft Corporation) [MANUAL] UPS
Service usb
Service System32\Drivers\usbaapl.sys [MANUAL] USBAAPL
Service C:\WINDOWS\system32\drivers\usbaudio.sys (USB Audio Class Driver/Microsoft Corporation) [MANUAL] usbaudio
Service C:\WINDOWS\system32\DRIVERS\usbccgp.sys (USB Common Class Generic Parent Driver/Microsoft Corporation) [MANUAL] usbccgp
Service C:\WINDOWS\system32\DRIVERS\usbehci.sys (EHCI eUSB Miniport Driver/Microsoft Corporation) [MANUAL] usbehci
Service C:\WINDOWS\system32\DRIVERS\usbhub.sys (Default Hub Driver for USB/Microsoft Corporation) [MANUAL] usbhub
Service C:\WINDOWS\system32\DRIVERS\usbprint.sys (USB Printer driver/Microsoft Corporation) [MANUAL] usbprint
Service C:\WINDOWS\system32\DRIVERS\usbscan.sys (USB Scanner Driver/Microsoft Corporation) [MANUAL] usbscan
Service C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS (USB Mass Storage Class Driver/Microsoft Corporation) [MANUAL] usbstor
Service C:\WINDOWS\system32\DRIVERS\usbuhci.sys (UHCI USB Miniport Driver/Microsoft Corporation) [MANUAL] usbuhci
Service C:\WINDOWS\System32\drivers\vga.sys (VGA/Super VGA Video Driver/Microsoft Corporation) [SYSTEM] VgaSave
Service [DISABLED] ViaIde
Service (Volume Shadow Copy Driver/Microsoft Corporation) [BOOT] VolSnap
Service C:\WINDOWS\System32\vssvc.exe (Microsoft® Volume Shadow Copy Service/Microsoft Corporation) [MANUAL] VSS
Service VxD
Service C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] W32Time
Service W3SVC
Service C:\WINDOWS\system32\DRIVERS\wanarp.sys (MS Remote Access and Routing ARP Driver/Microsoft Corporation) [MANUAL] Wanarp
Service C:\WINDOWS\System32\Drivers\wdf01000.sys (WDF Dynamic/Microsoft Corporation) [MANUAL] Wdf01000
Service [MANUAL] WDICA
Service C:\WINDOWS\system32\drivers\wdmaud.sys (MMSYSTEM Wave/Midi API mapper/Microsoft Corporation) [MANUAL] wdmaud
Service C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] WebClient
Service Windows Workflow Foundation 3.0.0.0
Service [AUTO] winmgmt
Service [MANUAL] Winsock
Service WinSock2
Service WinTrust
Service C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [MANUAL] WmdmPmSN
Service C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [MANUAL] Wmi
Service WmiApRpl
Service C:\WINDOWS\system32\wbem\wmiapsrv.exe (WMI Performance Adapter Service/Microsoft Corporation) [MANUAL] WmiApSrv
Service C:\Program Files\Windows Media Player\WMPNetwk.exe (Windows Media Player Network Sharing Service/Microsoft Corporation) [MANUAL] WMPNetworkSvc
Service C:\WINDOWS\System32\Drivers\wpdusb.sys (WPD USB Driver/Microsoft Corporation) [MANUAL] WpdUsb
Service C:\WINDOWS\System32\drivers\ws2ifsl.sys (Winsock2 IFS Layer/Microsoft Corporation) [SYSTEM] WS2IFSL
Service C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] wscsvc
Service C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] wuauserv
Service C:\WINDOWS\system32\DRIVERS\WudfPf.sys (Windows Driver Foundation - User-mode Driver Framework Platform Driver/Microsoft Corporation) [MANUAL] WudfPf
Service C:\WINDOWS\system32\DRIVERS\wudfrd.sys (Windows Driver Foundation - User-mode Driver Framework Reflector/Microsoft Corporation) [MANUAL] WudfRd
Service C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [MANUAL] WudfSvc
Service C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [AUTO] WZCSVC
Service C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) [MANUAL] xmlprov
Service {FD11D7AA-3A64-4743-9C7C-E8E74CEDAFA7}

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{23E54E9D-3F41-171D-021C-78254B760B85}\InprocServer32@ C:\WINDOWS\system32\msvidctl.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{23E54E9D-3F41-171D-021C-78254B760B85}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{23E54E9D-3F41-171D-021C-78254B760B85}\TypeLib@ {B0EDF154-910A-11D2-B632-00C04F79498E}
Reg HKLM\SOFTWARE\Classes\CLSID\{E16CB62C-0461-6D4D-1A1D-8051437054FF}\InprocServer32@ C:\WINDOWS\system32\upnp.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{E16CB62C-0461-6D4D-1A1D-8051437054FF}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E16CB62C-0461-6D4D-1A1D-8051437054FF}\ProgID@ UPnP.DescriptionDocument.1
Reg HKLM\SOFTWARE\Classes\CLSID\{E16CB62C-0461-6D4D-1A1D-8051437054FF}\TypeLib@ {DB3442A7-A2E9-4A59-9CB5-F5C1A5D901E5}
Reg HKLM\SOFTWARE\Classes\CLSID\{E16CB62C-0461-6D4D-1A1D-8051437054FF}\VersionIndependentProgID@ UPnP.DescriptionDocument
Reg HKLM\SOFTWARE\Classes\CLSID\{E4379E50-68C5-D33E-7FBA-56058C6AAC72}\InProcServer32@ C:\WINDOWS\system32\WMDMPS.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{E4379E50-68C5-D33E-7FBA-56058C6AAC72}\InProcServer32@ThreadingModel Both

---- EOF - GMER 1.0.15 ----

Edited by TDhonnhok, 16 April 2010 - 07:21 PM.


#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:54 PM

Posted 19 April 2010 - 07:49 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#4 TDhonnhok

TDhonnhok
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 19 April 2010 - 11:55 PM

Thanks for the assistance, M0le! I'm here, just let me know what you need from me.

Regards,

Tim

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:54 PM

Posted 20 April 2010 - 06:10 PM

This is the TDL3 rootkit.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#6 TDhonnhok

TDhonnhok
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 20 April 2010 - 10:13 PM

Done. Here's the log:

ComboFix 10-04-19.08 - Tim 04/20/2010 23:01:41.7.2 - x86
Running from: c:\documents and settings\Tim\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\isapnp.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-03-21 to 2010-04-21 )))))))))))))))))))))))))))))))
.

2010-04-18 04:12 . 2010-04-18 04:12 -------- d-----w- c:\documents and settings\LocalService\Application Data\AdobeUM
2010-04-14 01:17 . 2010-04-14 01:17 1924976 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-04-14 01:17 . 2010-04-14 01:17 -------- d-----w- c:\program files\NOS
2010-04-14 01:17 . 2010-03-29 12:53 32576 ----a-w- c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\ib55gnne.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-04-14 01:17 . 2010-03-29 12:53 29984 ----a-w- c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\ib55gnne.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-04-13 17:59 . 2004-08-10 11:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-04-12 10:03 . 2010-04-12 10:03 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-12 10:03 . 2010-04-12 10:03 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-12 10:02 . 2010-04-12 10:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-04-11 09:19 . 2010-04-11 09:19 52224 ----a-w- c:\documents and settings\Tim\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-11 09:19 . 2010-04-11 09:19 117760 ----a-w- c:\documents and settings\Tim\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-11 01:31 . 2010-04-11 01:31 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-10 12:25 . 2010-04-10 12:25 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-04-09 11:52 . 2010-04-09 06:20 15688 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-09 06:21 . 2010-04-09 06:20 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-04-09 06:21 . 2010-04-09 06:21 315736 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-04-09 06:21 . 2010-04-09 06:21 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2010-04-09 06:19 . 2010-04-09 06:19 566648 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-04-09 06:19 . 2010-04-09 06:19 567144 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-04-09 06:19 . 2010-04-09 06:19 2357064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-04-09 06:19 . 2010-04-09 06:19 640760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2010-04-09 06:19 . 2010-04-09 06:19 524632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-04-09 06:19 . 2010-04-09 06:19 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-04-09 06:11 . 2010-04-11 06:42 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2010-04-09 06:11 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2010-04-09 01:09 . 2010-04-09 01:09 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-04-08 23:57 . 2010-04-08 23:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-08 23:17 . 2010-04-08 23:17 -------- d-----w- c:\documents and settings\Tim\Local Settings\Application Data\Magentic
2010-04-08 23:15 . 2010-04-08 23:15 -------- d-----w- c:\documents and settings\Tim\Local Settings\Application Data\{8C75FF66-B038-421B-A0F3-A920302F2081}
2010-04-08 19:10 . 2010-04-18 04:11 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-04-08 18:55 . 2010-04-08 23:15 -------- d-----w- c:\documents and settings\LocalService\Application Data\Adobe(2)
2010-04-08 18:01 . 2010-04-08 23:15 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Adobe(2)
2010-04-08 07:27 . 2010-04-08 23:16 -------- d-s---w- c:\documents and settings\LocalService\UserData
2010-04-06 20:36 . 2010-04-08 23:16 -------- d-----w- c:\documents and settings\Logra\Application Data\Winamp
2010-03-24 20:36 . 2010-04-08 23:17 -------- d-----w- c:\documents and settings\Tim\Local Settings\Application Data\WildPockets
2010-03-24 20:36 . 2009-11-18 21:30 557056 ----a-w- c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\ib55gnne.default\extensions\wildpocketsloader@simopsstudios.com\plugins\npWildPocketsLoader.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-20 15:26 . 2006-02-21 14:46 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-20 06:09 . 2006-02-21 17:22 -------- d-----w- c:\program files\Warcraft III
2010-04-19 18:59 . 2004-08-10 11:00 35840 ----a-w- c:\windows\system32\drivers\isapnp.sys
2010-04-14 01:21 . 2009-12-16 03:00 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-13 17:54 . 2006-02-21 15:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-11 09:18 . 2009-05-05 22:39 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-11 09:18 . 2009-05-05 22:39 -------- d-----w- c:\documents and settings\Tim\Application Data\SUPERAntiSpyware.com
2010-04-11 09:18 . 2007-11-21 00:20 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-11 06:43 . 2007-03-16 01:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-11 01:42 . 2009-05-01 23:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ventrilo
2010-04-11 01:31 . 2009-08-30 22:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-10 06:04 . 2009-12-31 16:25 47880 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-10 04:46 . 2007-01-23 12:08 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-04-10 04:35 . 2010-01-04 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-04-10 04:34 . 2010-01-04 23:21 -------- d-----w- c:\program files\Common Files\Apple
2010-04-10 04:30 . 2009-08-06 06:30 -------- d-----w- c:\program files\NCSoft
2010-04-09 06:11 . 2009-05-02 03:21 -------- d-----w- c:\program files\Lavasoft
2010-04-09 06:11 . 2009-05-02 03:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-09 04:07 . 2009-09-06 03:28 -------- d-----w- c:\program files\AVG
2010-04-02 19:22 . 2006-02-23 13:28 47880 -c--a-w- c:\documents and settings\Logra\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-30 04:46 . 2009-08-30 22:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-08-30 22:20 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-16 21:51 . 2010-03-16 21:51 -------- d-----w- c:\program files\KingsIsle Entertainment
2010-03-11 23:50 . 2006-02-21 17:25 93885 -c--a-w- c:\windows\War3Unin.dat
2010-01-25 23:12 . 2010-02-10 22:06 65536 ----a-w- c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\ib55gnne.default\extensions\{a2880346-35bb-45bb-9190-eedb49c132c5}\components\Engine.dll
2008-03-23 15:21 . 2008-03-23 15:21 0 -c--a-w- c:\program files\temp01
2008-09-04 21:12 . 2006-06-08 20:35 56 -csh--r- c:\windows\system32\E94F4C4C6E.sys
2008-09-04 21:12 . 2006-06-08 20:35 1682 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot_2010-01-21_03.02.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 00:54 . 2009-07-12 00:54 65536 c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723\vcomp.dll
+ 2009-07-12 00:32 . 2009-07-12 00:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80KOR.dll
+ 2009-07-12 00:32 . 2009-07-12 00:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80JPN.dll
+ 2009-07-12 00:32 . 2009-07-12 00:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ITA.dll
+ 2009-07-12 00:32 . 2009-07-12 00:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80FRA.dll
+ 2009-07-12 00:32 . 2009-07-12 00:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ESP.dll
+ 2009-07-12 00:32 . 2009-07-12 00:32 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ENU.dll
+ 2009-07-12 00:32 . 2009-07-12 00:32 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80DEU.dll
+ 2009-07-12 00:32 . 2009-07-12 00:32 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHT.dll
+ 2009-07-12 00:32 . 2009-07-12 00:32 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHS.dll
+ 2009-07-12 05:07 . 2009-07-12 05:07 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80u.dll
+ 2009-07-12 05:19 . 2009-07-12 05:19 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80.dll
+ 2009-07-11 23:41 . 2009-07-11 23:41 97280 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll
+ 2010-04-21 03:01 . 2010-04-21 03:01 16384 c:\windows\temp\Perflib_Perfdata_1c4.dat
- 2009-04-07 04:20 . 2009-04-07 04:20 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-04-07 04:20 . 2010-04-14 01:17 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2010-04-09 06:21 . 2010-04-09 06:20 64160 c:\windows\system32\DRVSTORE\lbd_4C6E0193F967021F4DECA024CA3950BECD8BF864\Lbd.sys
+ 2004-08-10 11:00 . 2010-04-19 18:59 35840 c:\windows\system32\dllcache\isapnp.sys
+ 2010-04-08 17:43 . 2010-04-08 17:43 47880 c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
+ 2010-04-11 09:19 . 2010-04-11 09:19 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2010-04-11 09:19 . 2010-04-11 09:19 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2010-04-10 22:31 . 2010-04-10 22:31 16384 c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2010-04-01 08:57 . 2010-04-01 08:57 12288 c:\windows\ERDNT\subs(2)\Users(2)\00000004(2)\UsrClass.dat
+ 2010-04-01 08:57 . 2010-04-01 08:57 12288 c:\windows\ERDNT\subs(2)\Users(2)\00000002(2)\UsrClass.dat
+ 2010-04-11 09:19 . 2010-04-11 09:19 5120 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
+ 2006-03-04 03:33 . 2006-03-04 03:33 902693 c:\windows\system32\yasuexh.dll
+ 2010-01-27 01:07 . 2010-01-27 01:07 256280 c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2006-03-04 03:33 . 2006-03-04 03:33 899508 c:\windows\system32\jmfotowin.dll
+ 2006-03-04 03:33 . 2006-03-04 03:33 965763 c:\windows\system32\evarexg.dll
+ 2006-02-21 14:30 . 2010-04-09 11:52 147456 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-02-21 14:30 . 2009-12-12 05:26 147456 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-04-09 04:06 . 2010-04-09 04:06 424448 c:\windows\Installer\3fe10f.msi
+ 2010-04-10 22:31 . 2010-04-10 22:31 819200 c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2010-04-01 08:57 . 2010-04-01 08:57 225280 c:\windows\ERDNT\subs(2)\Users(2)\00000006(2)\UsrClass.dat
+ 2010-04-01 08:57 . 2010-04-01 08:57 241664 c:\windows\ERDNT\subs(2)\Users(2)\00000003(2)\ntuser.dat
+ 2010-04-01 08:57 . 2010-04-01 08:57 241664 c:\windows\ERDNT\subs(2)\Users(2)\00000001(2)\NTUSER.DAT
+ 2009-07-12 00:46 . 2009-07-12 00:46 1093120 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80u.dll
+ 2009-07-12 00:46 . 2009-07-12 00:46 1105920 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80.dll
+ 2006-03-04 03:33 . 2006-03-04 03:33 1368390 c:\windows\system32\yaarb.dll
+ 2006-03-04 03:33 . 2006-03-04 03:33 1600829 c:\windows\system32\slofolo.dll
+ 2006-03-04 03:33 . 2006-03-04 03:33 4272465 c:\windows\system32\sheorerrdo.dll
+ 2006-12-24 17:28 . 2010-04-08 23:19 5320596 c:\windows\system32\Restore\rstrlog.dat
+ 2006-03-04 03:33 . 2006-03-04 03:33 1422829 c:\windows\system32\papiorasu.dll
+ 2006-03-04 03:33 . 2006-03-04 03:33 2465907 c:\windows\system32\etarerrshe.dll
+ 2006-03-04 03:33 . 2006-03-04 03:33 1545751 c:\windows\system32\dohpogi.dll
+ 2006-03-04 03:33 . 2006-03-04 03:33 1096587 c:\windows\system32\doashand.dll
+ 2006-03-04 03:33 . 2006-03-04 03:33 2279641 c:\windows\system32\dllpwip.dll
+ 2010-04-11 09:18 . 2010-04-11 09:18 1583616 c:\windows\Installer\825de9.msi
+ 2010-04-09 06:11 . 2010-04-09 06:11 1802240 c:\windows\Installer\3a67cc.msi
+ 2010-04-01 08:57 . 2010-04-01 08:57 5611520 c:\windows\ERDNT\subs(2)\Users(2)\00000005(2)\ntuser.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-06-08 29696]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"Razer Naga Driver"="c:\program files\Razer\Naga\NagaTray.exe" [2010-01-02 1631616]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-04-09 524632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2006-2-21 581632]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 18:56 64512 -c--a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-04-13 15:09 49152 -c--a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"Safe Cleaner"=c:\windows\smc.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Ad-Watch"=c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
"AVG8_TRAY"=c:\progra~1\AVG\avgtray.exe
"SM_IAN"=c:\program files\AdvancedCleaner Free\ian_monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Warcraft III\\World Editor.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\FINAL FANTASY XI\\ToolsUS\\FINAL FANTASY XI Config.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\FINAL FANTASY XI\\polboot.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R0 dqr6ed8;dqr6ed8;c:\windows\\SystemRoot\System32\drivers\dqr6ed8.sys [x]
R1 4bdc0867.sys;4bdc0867.sys;c:\windows\System32\drivers\4bdc0867.sys [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-04-09 64160]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-02-17 66632]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-04-09 1029456]
S3 RzSynapse;Razer Naga Driver;c:\windows\system32\DRIVERS\RzSynapse.sys [2009-12-24 54144]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-04-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 06:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://wiki.ffxiclopedia.org/wiki/Main_Page
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
FF - ProfilePath - c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\ib55gnne.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\ib55gnne.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\ib55gnne.default\extensions\wildpocketsloader@simopsstudios.com\plugins\npWildPocketsLoader.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-20 23:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2010-04-20 23:09:20
ComboFix-quarantined-files.txt 2010-04-21 03:09
ComboFix2.txt 2010-04-10 06:26
ComboFix3.txt 2010-04-08 20:20
ComboFix4.txt 2010-04-01 09:03
ComboFix5.txt 2010-04-10 23:13

Pre-Run: 121,020,268,544 bytes free
Post-Run: 121,090,998,272 bytes free

- - End Of File - - AA096BD75EC10E6A50FA2A2F88C3BA38


Regards,

Tim

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:54 PM

Posted 21 April 2010 - 04:09 PM

Just a couple of matters to deal with smile.gif


A second run of Combofix should clear this

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
http://www.bleepingcomputer.com/forums/t/310206/aveexe-infection-svchostexebrowser-hijacked-more/

Collect::
c:\windows\system32\yasuexh.dll
c:\windows\system32\yaarb.dll
c:\windows\system32\slofolo.dll
c:\windows\system32\sheorerrdo.dll
c:\windows\system32\papiorasu.dll
c:\windows\system32\etarerrshe.dll
c:\windows\system32\dohpogi.dll
c:\windows\system32\doashand.dll
c:\windows\system32\dllpwip.dll
c:\windows\system32\jmfotowin.dll
c:\windows\system32\evarexg.dll
c:\windows\\SystemRoot\System32\drivers\dqr6ed8.sys
c:\windows\System32\drivers\4bdc0867.sys

Driver::
dqr6ed8
4bdc0867.sys


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#8 TDhonnhok

TDhonnhok
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 21 April 2010 - 09:52 PM

I ran the Combofix tool as advised. Below is the log. Also if it helps to know, the system is still running the high-resource svchost.exe processes and I get an admin access error notice for my graphics card configuration after the deletions.

ComboFix 10-04-21.01 - Tim 04/21/2010 22:37:10.8.2 - x86
Running from: c:\documents and settings\Tim\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tim\Desktop\CFScript.txt
* Created a new restore point

file zipped: c:\windows\system32\dllpwip.dll
file zipped: c:\windows\system32\doashand.dll
file zipped: c:\windows\system32\dohpogi.dll
file zipped: c:\windows\system32\etarerrshe.dll
file zipped: c:\windows\system32\evarexg.dll
file zipped: c:\windows\system32\jmfotowin.dll
file zipped: c:\windows\system32\papiorasu.dll
file zipped: c:\windows\system32\sheorerrdo.dll
file zipped: c:\windows\system32\slofolo.dll
file zipped: c:\windows\system32\yaarb.dll
file zipped: c:\windows\system32\yasuexh.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dllpwip.dll
c:\windows\system32\doashand.dll
c:\windows\system32\dohpogi.dll
c:\windows\system32\etarerrshe.dll
c:\windows\system32\evarexg.dll
c:\windows\system32\jmfotowin.dll
c:\windows\system32\papiorasu.dll
c:\windows\system32\sheorerrdo.dll
c:\windows\system32\slofolo.dll
c:\windows\system32\yaarb.dll
c:\windows\system32\yasuexh.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_4bdc0867.sys
-------\Service_dqr6ed8


((((((((((((((((((((((((( Files Created from 2010-03-22 to 2010-04-22 )))))))))))))))))))))))))))))))
.

2010-04-18 04:12 . 2010-04-18 04:12 -------- d-----w- c:\documents and settings\LocalService\Application Data\AdobeUM
2010-04-14 01:17 . 2010-04-14 01:17 1924976 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-04-14 01:17 . 2010-04-14 01:17 -------- d-----w- c:\program files\NOS
2010-04-14 01:17 . 2010-03-29 12:53 32576 ----a-w- c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\ib55gnne.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2010-04-14 01:17 . 2010-03-29 12:53 29984 ----a-w- c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\ib55gnne.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2010-04-13 17:59 . 2004-08-10 11:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2010-04-12 10:03 . 2010-04-12 10:03 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-12 10:03 . 2010-04-12 10:03 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-12 10:02 . 2010-04-12 10:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-04-11 09:19 . 2010-04-11 09:19 52224 ----a-w- c:\documents and settings\Tim\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-11 09:19 . 2010-04-11 09:19 117760 ----a-w- c:\documents and settings\Tim\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-11 01:31 . 2010-04-11 01:31 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-10 12:25 . 2010-04-10 12:25 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-04-09 11:52 . 2010-04-09 06:20 15688 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-09 06:21 . 2010-04-09 06:20 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-04-09 06:21 . 2010-04-09 06:21 315736 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-04-09 06:21 . 2010-04-09 06:21 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2010-04-09 06:19 . 2010-04-09 06:19 566648 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-04-09 06:19 . 2010-04-09 06:19 567144 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-04-09 06:19 . 2010-04-09 06:19 2357064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-04-09 06:19 . 2010-04-09 06:19 640760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2010-04-09 06:19 . 2010-04-09 06:19 524632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-04-09 06:19 . 2010-04-09 06:19 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-04-09 06:11 . 2010-04-11 06:42 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2010-04-09 06:11 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2010-04-09 01:09 . 2010-04-09 01:09 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-04-08 23:57 . 2010-04-08 23:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-08 23:17 . 2010-04-08 23:17 -------- d-----w- c:\documents and settings\Tim\Local Settings\Application Data\Magentic
2010-04-08 23:15 . 2010-04-08 23:15 -------- d-----w- c:\documents and settings\Tim\Local Settings\Application Data\{8C75FF66-B038-421B-A0F3-A920302F2081}
2010-04-08 19:10 . 2010-04-18 04:11 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-04-08 18:55 . 2010-04-08 23:15 -------- d-----w- c:\documents and settings\LocalService\Application Data\Adobe(2)
2010-04-08 18:01 . 2010-04-08 23:15 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Adobe(2)
2010-04-08 07:27 . 2010-04-08 23:16 -------- d-s---w- c:\documents and settings\LocalService\UserData
2010-04-06 20:36 . 2010-04-08 23:16 -------- d-----w- c:\documents and settings\Logra\Application Data\Winamp
2010-03-24 20:36 . 2010-04-08 23:17 -------- d-----w- c:\documents and settings\Tim\Local Settings\Application Data\WildPockets
2010-03-24 20:36 . 2009-11-18 21:30 557056 ----a-w- c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\ib55gnne.default\extensions\wildpocketsloader@simopsstudios.com\plugins\npWildPocketsLoader.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-21 05:54 . 2006-02-21 17:22 -------- d-----w- c:\program files\Warcraft III
2010-04-20 15:26 . 2006-02-21 14:46 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-19 18:59 . 2004-08-10 11:00 35840 ----a-w- c:\windows\system32\drivers\isapnp.sys
2010-04-14 01:21 . 2009-12-16 03:00 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-13 17:54 . 2006-02-21 15:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-11 09:18 . 2009-05-05 22:39 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-11 09:18 . 2009-05-05 22:39 -------- d-----w- c:\documents and settings\Tim\Application Data\SUPERAntiSpyware.com
2010-04-11 09:18 . 2007-11-21 00:20 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-11 06:43 . 2007-03-16 01:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-11 01:42 . 2009-05-01 23:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ventrilo
2010-04-11 01:31 . 2009-08-30 22:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-10 06:04 . 2009-12-31 16:25 47880 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-10 04:46 . 2007-01-23 12:08 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-04-10 04:35 . 2010-01-04 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-04-10 04:34 . 2010-01-04 23:21 -------- d-----w- c:\program files\Common Files\Apple
2010-04-10 04:30 . 2009-08-06 06:30 -------- d-----w- c:\program files\NCSoft
2010-04-09 06:11 . 2009-05-02 03:21 -------- d-----w- c:\program files\Lavasoft
2010-04-09 06:11 . 2009-05-02 03:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-04-09 04:07 . 2009-09-06 03:28 -------- d-----w- c:\program files\AVG
2010-04-02 19:22 . 2006-02-23 13:28 47880 -c--a-w- c:\documents and settings\Logra\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-30 04:46 . 2009-08-30 22:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-08-30 22:20 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-16 21:51 . 2010-03-16 21:51 -------- d-----w- c:\program files\KingsIsle Entertainment
2010-03-11 23:50 . 2006-02-21 17:25 93885 -c--a-w- c:\windows\War3Unin.dat
2010-01-25 23:12 . 2010-02-10 22:06 65536 ----a-w- c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\ib55gnne.default\extensions\{a2880346-35bb-45bb-9190-eedb49c132c5}\components\Engine.dll
2008-03-23 15:21 . 2008-03-23 15:21 0 -c--a-w- c:\program files\temp01
2008-09-04 21:12 . 2006-06-08 20:35 56 -csh--r- c:\windows\system32\E94F4C4C6E.sys
2008-09-04 21:12 . 2006-06-08 20:35 1682 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot_2010-04-21_03.07.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-22 02:43 . 2010-04-22 02:43 16384 c:\windows\temp\Perflib_Perfdata_784.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-06-08 29696]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"Razer Naga Driver"="c:\program files\Razer\Naga\NagaTray.exe" [2010-01-02 1631616]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-04-09 524632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2006-2-21 581632]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 18:56 64512 -c--a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-04-13 15:09 49152 -c--a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
"Safe Cleaner"=c:\windows\smc.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Ad-Watch"=c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
"AVG8_TRAY"=c:\progra~1\AVG\avgtray.exe
"SM_IAN"=c:\program files\AdvancedCleaner Free\ian_monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Warcraft III\\World Editor.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\FINAL FANTASY XI\\ToolsUS\\FINAL FANTASY XI Config.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\FINAL FANTASY XI\\polboot.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-04-09 64160]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-02-17 66632]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-04-09 1029456]
S3 RzSynapse;Razer Naga Driver;c:\windows\system32\DRIVERS\RzSynapse.sys [2009-12-24 54144]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-04-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 06:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://wiki.ffxiclopedia.org/wiki/Main_Page
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
FF - ProfilePath - c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\ib55gnne.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\ib55gnne.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\ib55gnne.default\extensions\wildpocketsloader@simopsstudios.com\plugins\npWildPocketsLoader.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2072)
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\savedump.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\stsystra.exe
c:\program files\Logitech\SetPoint\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2010-04-21 22:47:16 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-22 02:47
ComboFix2.txt 2010-04-21 03:09
ComboFix3.txt 2010-04-10 06:26
ComboFix4.txt 2010-04-08 20:20
ComboFix5.txt 2010-04-22 02:36

Pre-Run: 121,075,785,728 bytes free
Post-Run: 120,976,678,912 bytes free

- - End Of File - - FFDF28D42E135B78AAA1975A943DAF96

Thanks again for the assistance, m0le!

Regards,

Tim

Edited by TDhonnhok, 21 April 2010 - 09:53 PM.


#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:54 PM

Posted 22 April 2010 - 06:28 PM

The svchost problem and graphics card issue may well be connected and not be malware-connected.

Please run ESET online scanner and once you're clean we'll see what the best way to deal with these malfunctions is.

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found there will be no option to export the text file as no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#10 TDhonnhok

TDhonnhok
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 22 April 2010 - 11:20 PM

Done. Here's the log:

C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws1.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws20.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws22.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws3.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws5.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSysguard1.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentkds.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Qoobox\Quarantine\[4]-Submit_2010-04-21_22.36.45.zip a variant of Win32/Delf.PFX trojan deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.PY trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\isapnp.sys.vir Win32/Olmarik.XG trojan cleaned - quarantined
C:\System Volume Information\_restore{395FCED3-CDC9-40BD-9351-FE02A904002E}\RP192\A0043759.exe a variant of Win32/Kryptik.DQB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{395FCED3-CDC9-40BD-9351-FE02A904002E}\RP192\A0043792.exe a variant of Win32/Kryptik.DQB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{395FCED3-CDC9-40BD-9351-FE02A904002E}\RP198\A0052281.sys Win32/Olmarik.XG trojan cleaned - quarantined
C:\System Volume Information\_restore{395FCED3-CDC9-40BD-9351-FE02A904002E}\RP199\A0052744.exe probably a variant of Win32/Agent trojan cleaned by deleting - quarantined

Regards,

Tim


#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:54 PM

Posted 23 April 2010 - 01:31 PM

Please run MBAM

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
Posted Image
m0le is a proud member of UNITE

#12 TDhonnhok

TDhonnhok
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 23 April 2010 - 02:25 PM

Ran MBAM. Nothing was found apparently. Here's the log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4027

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

4/23/2010 3:23:08 PM
mbam-log-2010-04-23 (15-23-08).txt

Scan type: Full scan (C:\|)
Objects scanned: 241734
Time elapsed: 45 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Regards,

Tim

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:54 PM

Posted 23 April 2010 - 03:00 PM

The PC looks clean. thumbup2.gif

Are there any problems still with you?
Posted Image
m0le is a proud member of UNITE

#14 TDhonnhok

TDhonnhok
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 23 April 2010 - 05:00 PM

I'm still getting a startup notification informing me that 'You do not have permission to change CATALYST Control Center settings. Please contact your administrator for further help." I'm the admin for this PC and the only person that uses it as well.

Aside from that, everything's working wonderfully now! You've been a great help, m0le. I appreciate everything you've done to asside me. smile.gif

Regards,

Tim


#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:54 PM

Posted 23 April 2010 - 05:11 PM

Find the .NET 2.0 installer, right click it and select repair

Now reboot the computer. Does that solve it?
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users