Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


ave.exe, redirects

  • Please log in to reply
3 replies to this topic

#1 moosentonks


  • Members
  • 12 posts
  • Local time:12:58 PM

Posted 27 April 2010 - 04:43 PM

Looks like a pretty common infection, these days.

About a week ago I was hit with ave.exe. I ran trojan_fakerean_exe_fix.reg and then MBAM, which took care of ave. I ran Avast! and found Vundo. Taking care of that seemed to clear up the problem.

Then, I started getting redirects and ave.exe popped up again. I can not connect to windows update, or even enter "windows update" into a field (I'm posting this from another pc - something in my logs seems to be triggering whatever bug I've got to reset my connection when I try to post). Avast! and MBAM are coming up clean.

Thanks for your time and help!

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 15:16:53.54 on Tue 04/27/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.766.406 [GMT -4:00]

AV: avast! antivirus 4.8.1368 [VPS 100427-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Glary Utilities\memdefrag.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.att.net
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
mWinlogon: UIHost=c:\windows\system32\logonuiX.exe
BHO: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
BHO: {7c56865c-64c3-44a0-adbc-520747397690} - hajigira.dll
TB: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Glary Memory Optimizer] c:\program files\glary utilities\memdefrag.exe
uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\McciTrayApp.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\documents and settings\owner\start menu\programs\startup\PowerReg Scheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
IE: &Viewpoint Search - c:\program files\viewpoint\viewpoint toolbar\ViewBar.dll/CXTSEARCH.HTML
IE: &Winamp Toolbar Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
Trusted Zone:
Trusted Zone: intuit.com\ttlc
Trusted Zone: motive.com\patttbc.att
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124597310953
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: lbxfile - {56831180-F115-11d2-B6AA-00104B2B9943} - c:\program files\libronix dls\system\FileProt.dll
Handler: lbxres - {24508F1B-9E94-40EE-9759-9AF5795ADF52} - c:\program files\libronix dls\system\ResProt.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: pasugusa.dll c:\windows\system32\jakituno.dll
SSODL: nasagibos - {8c398e72-650d-4201-8bfc-d78968c4ec8f} - c:\windows\system32\jakituno.dll
STS: tokatiluy: {8c398e72-650d-4201-8bfc-d78968c4ec8f} - c:\windows\system32\jakituno.dll
LSA: Notification Packages = scecli pasugusa.dll
Hosts: osguard-pro.microsoft.com
Hosts: osguard-pro.com
Hosts: www.osguard-pro.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\i3qlz4u7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.georgerrmartin.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\java\jre1.5.0_11\bin\NPOJI610.dll
FF - plugin: c:\program files\microsoft silverlight\3.0.40818.0\npctrl.1.0.21115.0.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-4-14 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-4-14 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-4-14 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-4-14 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-4-14 352920]

=============== Created Last 30 ================

2010-04-27 19:10:37 20 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-04-22 19:30:59 0 d-----w- c:\program files\GPLGS
2010-04-22 19:29:40 87552 ----a-w- c:\windows\system32\cpwmon2k.dll
2010-04-22 19:29:05 0 d-----w- c:\program files\Acro Software
2010-04-11 21:54:21 0 dc----w- c:\docume~1\alluse~1\applic~1\SecTaskMan
2010-04-11 21:53:35 0 d-----w- c:\program files\Security Task Manager
2010-04-10 20:24:42 0 d-----w- c:\program files\common files\AnswerWorks 5.0
2010-04-10 19:59:51 0 d-----w- c:\windows\system32\XPSViewer
2010-04-10 19:58:08 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-04-10 19:58:08 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-04-10 19:58:08 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-04-10 19:58:08 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-04-10 19:58:08 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-04-10 19:58:08 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-04-10 19:58:08 117760 ------w- c:\windows\system32\prntvpt.dll
2010-04-10 19:58:06 0 dc----w- C:\e16da6f4de8c297e3b03
2010-04-10 19:51:01 0 d-----w- c:\program files\MSXML 6.0

==================== Find3M ====================

2010-04-12 11:02:19 73288 -c--a-w- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2010-03-30 04:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-28 21:24:31 26961 ----a-w- c:\program files\Morrowind.ini
2004-10-05 21:04:27 56 --sh--r- c:\windows\system32\2853C672B1.sys

============= FINISH: 15:18:46.37 ===============

Attached Files

BC AdBot (Login to Remove)


#2 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • Gender:Male
  • Location:@localhost
  • Local time:11:58 AM

Posted 01 May 2010 - 03:16 PM


Your log is a few days old. Reply to post if you still need any help.

How Can I Reduce My Risk to Malware?

#3 moosentonks

  • Topic Starter

  • Members
  • 12 posts
  • Local time:12:58 PM

Posted 01 May 2010 - 11:08 PM

I do still need help. Would you like me to post newer logs? I haven't made any major changes to my system, though Avast! has captured another trojan or two.

#4 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • Gender:Male
  • Location:@localhost
  • Local time:11:58 AM

Posted 02 May 2010 - 03:13 PM

though Avast! has captured another trojan or two

Malware usually fetches more malware. that log will be ok. we will start with malwarebytes and go from there. link and directions:

Please download Malwarebytes to your desktop.

Scratch that, you already ran MBAM.

More than likely you have a rootkit. these can hide from traditional anti-malware/virus scanners. This new 'generation' rootkit goes much deeper into the OS. you should use the machine as little as possible or not at all until its clean. Keep it powered off or at least make sure it has no connectivity. We will attempt to remove it.

You should really consider a reformat/re-install of Windows once rootkit activity is in place.

We will get another download to use. Link and directions:

Please download TDSS Killer.zip and save it to your desktop
Extract the zip file to your desktop
Click start > run and copy/paste whats below into the run box. Click ok or enter

"%userprofile%\desktop\tdsskiller.exe" -l report.txt.

When its finished press any key to continue.
If prompted please reboot your computer
Please post the report.txt that will be generated on your desktop after running the utility.

Edited by shelf life, 02 May 2010 - 03:38 PM.

How Can I Reduce My Risk to Malware?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users