Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Aec.sys files infected by Tr/Krap.h.1 and sp3 removed


  • This topic is locked This topic is locked
2 replies to this topic

#1 darkill

darkill

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 13 August 2010 - 10:56 AM

Hi.
I post here because I have got a virus since some days and so I posted in avira forum for help. Someone helped me but finally he redirected me to this page because he couldn't help me anymore ; he told it wasn't in his capacity to do it. So I post here to optain some help from some of you, I hope you will help me and I would be thankfull of this.
Here the link of the post I did in avira : http://forum.avira.com/wbb/index.php?page=...92&pageNo=3

To resume the actual situation : I had a TR/krap.h.1 virus but I cleaned it, however I still got an infected files in c/window/system32/driver. This files is aec.sys and it cause me many problem : I tried to remove and to reinstall the SP3. In removing it I had no problem, but when I wanted to reinstall it I had problem ; the aec files couldn't be copied or deleted or I don't know what exactly but this was for sure something with this files and I couldn't continue the installation because of this.

CD emulation software has been disabled
DDS log :


DDS (Ver_10-03-17.01) - NTFSx86
Run by Jordan at 15:11:41.89 on 13.08.2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professionnel 5.1.2600.2.1252.33.1036.18.1022.588 [GMT 2:00]



AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Fichiers communs\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\BLUEWIN\QUICKH~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\fr-ch\bin\WindowsSearch.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\fr-ch\bin\WindowsSearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\control.exe
C:\Documents and Settings\Jordan\Bureau\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ch/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
mStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=ch&l=fr&s=gen
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://g.fr.msn.ch/0SEFRCH/SAOS01?FORM=TOOLBR
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\fichiers communs\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Programme d'aide de l'Assistant de connexion Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\fichiers communs\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Barre d'outils de MSN Search Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar suite\tb\02.05.0000.1105\fr-ch\msntb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: IEPluginBHO Class: {f5cc7f02-6f4e-4462-b5b1-394a57fd3e0d} - c:\documents and settings\jordan\application data\nowe gadu-gadu\_userdata\ggbho.1.dll
TB: Barre d'outils de MSN Search: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar suite\tb\02.05.0000.1105\fr-ch\msntb.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {4E7BD74F-2B8D-469E-DCF7-E869A199B87D} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ISUSScheduler] "c:\program files\fichiers communs\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [Motive SmartBridge] c:\progra~1\bluewin\quickh~1\smartb~1\MotiveSB.exe
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe ARM] "c:\program files\fichiers communs\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menudé~1\progra~1\démarr~1\hpaiod~1.lnk - c:\program files\hewlett-packard\aio\hp psc 700 series\bin\hpobrt07.exe
StartupFolder: c:\docume~1\alluse~1\menudé~1\progra~1\démarr~1\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\menudé~1\progra~1\démarr~1\recher~1.lnk - c:\program files\msn toolbar suite\ds\02.05.0001.1119\fr-ch\bin\WindowsSearch.exe
IE: &MSN Search - c:\program files\msn toolbar suite\tb\02.05.0000.1105\fr-ch\msntb.dll/search.htm
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/FR-CH/a-UNO1/GAME_UNO1.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://www.bitdefender.fr/scan_fr/scan8/oscan8.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {91D4B4D5-E368-40AB-8F53-A37FA634B471} - hxxp://www.tellmemorecorporate.com/bin/tol9inst.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\fichie~1\skype\SKYPE4~1.DLL
Handler: x-mem1 - {C3719F83-7EF8-4BA0-89B0-3360C7AFB7CC} - c:\windows\system32\wowctl2.dll
LSA: Notification Packages = scecli

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-3 11608]
R2 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\avira\antivir desktop\sched.exe [2009-5-3 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-3 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-3 56816]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-11-6 54752]
R2 PLCNDIS5;PLCNDIS5 NDIS Protocol Driver;c:\windows\system32\plcndis5.sys [2004-5-17 17280]
S2 gupdate;Service Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-5 135664]
S3 5609b346-c7ac-4ce8-91bd-4eb4d0305dcb;5609b346-c7ac-4ce8-91bd-4eb4d0305dcb;\??\d:\player\cds300.dll --> d:\player\cds300.dll [?]
S3 A_USBETHMP;USB PowerPacket Network Adapter;c:\windows\system32\drivers\usbethmp.sys [2006-5-18 14342]
S3 fsssvc;Service Windows Live Contrôle parental;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 PLCMPR5;PLCMPR5 NDIS Protocol Driver;\??\c:\windows\system32\plcmpr5.sys --> c:\windows\system32\PLCMPR5.SYS [?]

=============== Created Last 30 ================

2010-08-13 13:07:59 0 ----a-w- c:\documents and settings\jordan\defogger_reenable
2010-08-12 18:46:01 0 d-----w- c:\windows\system32\CatRoot_bak
2010-08-11 10:44:52 0 d-----w- c:\docume~1\jordan\applic~1\Dossier de téléchargement Share-to-Web
2010-08-10 19:17:09 98816 ----a-w- c:\windows\sed.exe
2010-08-10 19:17:09 77312 ----a-w- c:\windows\MBR.exe
2010-08-10 19:17:09 256512 ----a-w- c:\windows\PEV.exe
2010-08-10 19:17:09 161792 ----a-w- c:\windows\SWREG.exe
2010-08-10 16:33:29 0 d-----w- c:\windows\pss
2010-07-15 09:05:24 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

==================== Find3M ====================

2010-08-13 13:11:43 585472 ----a-w- c:\windows\system32\drivers\aec.sys
2010-08-12 17:25:52 85744 ----a-w- c:\windows\system32\perfc00C.dat
2010-08-12 17:25:52 512206 ----a-w- c:\windows\system32\perfh00C.dat
2010-08-02 12:20:59 5852 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-24 15:55:24 11077120 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-06-23 12:08:09 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-06-18 13:36:12 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2006-11-13 18:37:45 4170623 ----a-w- c:\program files\fichiers communs\mahtt.rtf
2004-08-05 11:00:00 94864 --sh--w- c:\windows\twain.dll
2007-12-04 18:41:36 550912 --sh--w- c:\windows\system32\oleaut32.dll
2009-05-11 07:54:45 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\historique\history.ie5\mshist012009051120090512\index.dat

============= FINISH: 15:12:30.65 ===============


I have the logs of gmer if you want.

Attached Files


Edited by darkill, 13 August 2010 - 10:58 AM.


BC AdBot (Login to Remove)

 


#2 darkill

darkill
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 17 August 2010 - 05:42 AM

I don't need anymore help.
I am sorry, it isn't because It has still not reply but I will proced by other way to clean my computer.
I write about it so that no one of you start to work on this thread. Hope no one started to already work on this problem and if someone did I am sorry.
THanx for comprehesion, good luck for the next.

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:03 AM

Posted 17 August 2010 - 04:30 PM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users