Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

It started as a fake antivirus infection...


  • This topic is locked This topic is locked
2 replies to this topic

#1 mdykhouse

mdykhouse

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 03 June 2010 - 05:52 PM

Hello,

I believe I have a malware infection. Here is the history of what is going on:

1) I had an infection of something called "Antispyware Soft". It would not allow me to run programs and all IE would display was a purchase software screen.
2) I was able to install MalwareBytes and run it. That seemed to make things much better.
3) I still have issues with my machine:
-I cannot access Windows update from the web page or through Windows Defender.
-My Google Chrome does not work at all. Even a reinstall does not fix it.
-Google search results are often redirected to other sites. Sometimes my antivirus (Avira) pops up with a warning when this happens. It prompts me to quarantine files and the message reads "Contatins recognition pattern of the
HTML/Infected.WebPage.Gen HTML script virus"
4) I have run Adaware, Spybot Search and Destroy, Malware Bytes and SuperAnitspyware. They have all found things but nothing has resolved my problem.

Any suggestions? . My DDS.txt file is below.
Thanks for the help,
Matt


DDS (Ver_10-03-17.01) - NTFSx86
Run by Matt Dykhouse at 19:27:42.65 on Wed 06/02/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1106 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\X3watch\x3watch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Matt Dykhouse\Desktop\bleeping\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://mail.yahoo.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 10\SnagitBHO.dll
BHO: StumbleUpon Launcher: {145b29f4-a56b-4b90-bbac-45784ebebbb7} - c:\program files\stumbleupon\StumbleUponIEBar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:\program files\stumbleupon\StumbleUponIEBar.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 10\SnagitIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\matt dykhouse\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [x3watch] c:\program files\x3watch\x3watch.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x0990 -f video -m logitech -d 11.5.0.1145
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{4c271126-c295-4828-a901-5910ae0c258b}\Icon3E5562ED7.ico
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1255307030859
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-5-31 64288]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-5-31 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-5-31 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-5-31 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-5-31 60936]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1314704]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2010-06-03 02:23:57 0 ----a-w- c:\documents and settings\matt dykhouse\defogger_reenable
2010-06-03 02:06:46 0 d-----w- c:\program files\Trend Micro
2010-06-02 00:54:49 0 d-----w- c:\windows\pss
2010-06-01 23:41:57 0 d-----w- c:\docume~1\mattdy~1\applic~1\SUPERAntiSpyware.com
2010-06-01 23:41:57 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-06-01 23:41:50 0 d-----w- c:\program files\SUPERAntiSpyware
2010-06-01 06:22:43 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-06-01 06:22:43 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-01 05:01:48 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-01 02:46:26 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-01 02:46:22 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-01 02:42:00 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-01 02:41:46 0 d-----w- c:\program files\Lavasoft
2010-06-01 01:48:21 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-01 01:48:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-05-31 22:51:16 0 d-----w- c:\windows\system32\NtmsData
2010-05-31 22:50:43 0 d-----w- c:\docume~1\mattdy~1\applic~1\Avira
2010-05-31 22:46:55 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-05-31 22:46:54 0 d-----w- c:\program files\Avira
2010-05-31 22:46:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-05-31 18:12:26 0 d-----w- c:\docume~1\mattdy~1\applic~1\Malwarebytes
2010-05-31 18:11:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-31 18:11:48 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-31 18:11:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-31 18:11:47 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-31 16:59:49 0 d-----w- c:\windows\system32\wbem\Repository
2010-05-12 02:22:10 0 d-----w- c:\program files\common files\Wise Installation Wizard

==================== Find3M ====================

2010-06-02 05:42:21 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-06-02 05:42:15 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-03-29 04:40:34 68940 ----a-w- c:\windows\hpoins05.dat
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

============= FINISH: 19:29:50.00 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 mdykhouse

mdykhouse
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 03 June 2010 - 11:05 PM

I gave up and reformatted.

Now it's gone for sure.

#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:11 AM

Posted 06 June 2010 - 01:31 PM

Since this issue appears to be resolved ... this Topic has been closed.

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users