Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hdaudio.exe / WmiApRpl_new.h


  • This topic is locked This topic is locked
5 replies to this topic

#1 krom

krom

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 13 October 2010 - 03:56 PM

Eset NOD32 started alerting me that autorun.inf was being written to all the USB drives that I plugged into my computer. It will immediately write the file upon deletion. I started to research the problem while I scanned the system with NOD32, Malwarebytes' Anti-Malware, and Super AntiSpyware. NOD32 did not find anything, Malwarebytes and AntiSpyware found some minor stuff and removed it.


After rebooting I still found that autorun.inf was being written to any USB drives that were plugged into my system. I noticed from one of the alerts from NOD32 that it was hdaudio.exe that was creating the autorun.inf files. It (hdaudio.exe) is set to hidden, after removing the hidden attribute from hdaudio.exe it still cannot be deleted. As I researched this problem I found some info about an autorun virus, they said an easy way to determine if a drive is infected is to do a dir/ah command, I plugged in one of the USB drives I knew was infected and this is what I get:


L:\>dir /ah
Volume in drive L is KINGSTON
Volume Serial Number is 0A55-F444

Directory of L:\

10/10/2010 09:55 AM 21,504 autorun.exe
10/13/2010 04:04 PM 176 autorun.inf
2 File(s) 21,680 bytes
0 Dir(s) 14,547,877,888 bytes free


Since I have a lot of external drives connected to my system I ran the dir/ah command on all of them, none showed any autorun files. At this point I'm frustrated and embarrassed... I can usually fix these types of problems myself by utilizing your site and a few other online resources, but I haven't seen any information about this particular problem.

In the past you guys have helped me countless times fix other peoples infestations, now I humbly ask for your help bowdown.gif

Just tell me what to do, this thing needs to die axesmiley.png


Attached File  Attach.txt   8.96KB   1 downloads

DDS (Ver_10-10-10.03) - NTFS_AMD64
Run by wkg at 15:31:19.79 on Wed 10/13/2010
Internet Explorer: 9.0.7930.16406 BrowserJavaVersion: 1.6.0_21
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.8190.6067 [GMT -4:00]

SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
C:\ProgramData\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Flip Video\FlipShare\FlipShareService.exe
C:\PROGRA~2\GFI\GFIBAC~1\GFIHInst.exe
C:\PROGRA~2\GFI\GFIBAC~1\GFIHSC~1.EXE
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Program Files (x86)\Common Files\Logishrd\LVMVFM\LVPrS64H.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files (x86)\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Users\wkg\AppData\Local\TVersity\Media Server\MediaServer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Core Temp\Core Temp.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files (x86)\Creative\Software Update 3\SoftAuto.exe
C:\Program Files (x86)\ManyCam 2.4\ManyCam.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\GFI\GFI Backup 2009 - Home Edition\GFIAgent.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe
C:\Program Files (x86)\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\SysWOW64\Ctxfihlp.exe
C:\Windows\SysWOW64\CTXFISPI.EXE
C:\Program Files (x86)\Brownie\BrStsW64.exe
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe
C:\Windows\SysWOW64\hdaudio.exe
C:\Program Files (x86)\Brownie\Brnipmon.exe
C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe
C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Users\wkg\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\wkg\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\wkg\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\wkg\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\wkg\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\wkg\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\wkg\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\wkg\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\wkg\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\wkg\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\wkg\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\wkg\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\wkg\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\DllHost.exe
C:\Users\wkg\Downloads\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\tbVuz1.dll
mURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\tbVuz1.dll
BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - C:\Program Files (x86)\vShare\vshare_toolbar.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - C:\Program Files (x86)\LastPass\LPBar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\tbVuz1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\tbVuz1.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPBar.dll
TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - C:\Program Files (x86)\vShare\vshare_toolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [Google Update] "C:\Users\wkg\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [SoftAuto.exe] "C:\Program Files (x86)\Creative\Software Update 3\SoftAuto.exe"
uRun: [ManyCam] "C:\Program Files (x86)\ManyCam 2.4\ManyCam.exe"
uRun: [EPSON Stylus Photo R380 Series (Copy 1)] C:\Windows\system32\spool\DRIVERS\x64\3\E_FATIBOA.EXE /FU "C:\Windows\TEMP\E_S44E6.tmp" /EF "HKCU"
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [GFI Backup 2009 - Home Edition] "C:\PROGRA~2\GFI\GFIBAC~1\GFIAgent.exe"
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
mRun: [VolPanel] "C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe" /r
mRun: [googletalk] C:\Program Files (x86)\Google\Google Talk\googletalk.exe /autostart
mRun: [Google Quick Search Box] "C:\Program Files (x86)\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
mRun: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [KeePass 2 PreLoad] "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe" --preload
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [BrStsWnd] C:\Program Files (x86)\Brownie\BrstsW64.exe Autorun
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [LWS] C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hide
mRun: [Windows HD Audio] "C:\Windows\system32\hdaudio.exe"
dRun: [CtxfiReg] CTXFIREG.exe /FAIL1
StartupFolder: C:\Users\wkg\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\LOGITE~1.LNK - C:\Program Files (x86)\Logitech\Ereg\eReg.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Add to &Evernote - C:\Program Files (x86)\Evernote\Evernote3.5\enbar.dll/2000
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: LastPass - file://C:\Program Files (x86)\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://C:\Program Files (x86)\LastPass\context.html?cmd=fillforms
IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPBar.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} - C:\Program Files (x86)\Evernote\Evernote3.5\enbar.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D3CCEFAF-8EE1-40FE-BE25-366E2B016DAB} - hxxps://labs.ttsc.net/console/VMRCActiveXClient.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15111/CTPID.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - C:\Program Files (x86)\vShare\vshare_toolbar.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB-X64: {BA14329E-9550-4989-B3F2-9732E92D17CC} - No File
TB-X64: {043C5167-00BB-4324-AF7E-62013FAEDACF} - No File
TB-X64: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
mRun-x64: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
mRun-x64: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun-x64: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL

================= FIREFOX ===================

FF - ProfilePath - C:\Users\wkg\AppData\Roaming\Mozilla\Firefox\Profiles\o23gchuk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google Powered Search
FF - component: C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: C:\Users\wkg\AppData\Roaming\Mozilla\Firefox\Profiles\o23gchuk.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: C:\Users\wkg\AppData\Roaming\Mozilla\Firefox\Profiles\o23gchuk.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\FFExternalAlert.dll
FF - component: C:\Users\wkg\AppData\Roaming\Mozilla\Firefox\Profiles\o23gchuk.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCore.dll
FF - component: C:\Users\wkg\AppData\Roaming\Mozilla\Firefox\Profiles\o23gchuk.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
FF - plugin: C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npPDFXCviewNPPlugin.dll
FF - plugin: C:\Program Files (x86)\Veetle\Player\npvlc.dll
FF - plugin: C:\Program Files (x86)\Veetle\plugins\npVeetle.dll
FF - plugin: C:\Program Files (x86)\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll
FF - plugin: C:\ProgramData\id Software\QuakeLive\npquakezero.dll
FF - plugin: C:\Users\wkg\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: C:\Users\wkg\AppData\Roaming\Mozilla\Firefox\Profiles\o23gchuk.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: C:\Users\wkg\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\wkg\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Windows\system32\TVUAx\npTVUAx.dll
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2010-2-17 14920]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2010-2-17 12360]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2010-6-29 128752]
R2 eamonm;eamonm;C:\Windows\System32\drivers\eamonm.sys [2010-7-29 168544]
R2 ekrn;ESET Service;C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2010-8-12 810144]
R2 epfwwfpr;epfwwfpr;C:\Windows\System32\drivers\epfwwfpr.sys [2010-7-29 126320]
R2 GFIBckHAtt;GFI Backup 2009 - Home Edition Attendant Service;C:\PROGRA~2\GFI\GFIBAC~1\GFIHInst.exe [2010-9-12 858480]
R2 GFIBckHSched;GFI Backup 2009 - Home Edition Scheduler Service;C:\PROGRA~2\GFI\GFIBAC~1\GFIHSC~1.EXE [2010-9-12 2324848]
R2 LVPrcS64;Process Monitor;C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe [2010-5-7 197976]
R3 CT20XUT.SYS;CT20XUT.SYS;C:\Windows\System32\drivers\CT20XUT.sys [2010-5-5 202840]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;C:\Windows\System32\drivers\CTEXFIFX.sys [2010-5-5 1417304]
R3 CTHWIUT.SYS;CTHWIUT.SYS;C:\Windows\System32\drivers\CTHWIUT.sys [2010-5-5 94808]
R3 LVPr2M64;Logitech LVPr2M64 Driver;C:\Windows\System32\drivers\LVPr2M64.sys [2010-5-7 30304]
R3 LVUVC64;Logitech QuickCam Pro 9000(UVC);C:\Windows\System32\drivers\lvuvc64.sys [2010-7-27 6465632]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\Windows\System32\drivers\ManyCam_x64.sys [2008-3-13 27136]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-12-19 314400]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-12-30 133104]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2009-12-30 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-12-30 79360]
S3 CT20XUT;CT20XUT;C:\Windows\System32\drivers\CT20XUT.sys [2010-5-5 202840]
S3 CTEXFIFX;CTEXFIFX;C:\Windows\System32\drivers\CTEXFIFX.sys [2010-5-5 1417304]
S3 CTHWIUT;CTHWIUT;C:\Windows\System32\drivers\CTHWIUT.sys [2010-5-5 94808]
S3 CTUPnPSv;Creative Centrale Media Server;C:\Program Files (x86)\Creative\Creative Centrale\CTUPnPSv.exe [2008-5-21 64000]
S3 LVRS64;Logitech RightSound Filter Driver;C:\Windows\System32\drivers\lvrs64.sys [2010-7-27 339040]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files\Microsoft Office\Office14\GROOVE.EXE [2010-3-25 51456888]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 pbfilter;pbfilter;C:\Program Files\PeerBlock\pbfilter.sys [2010-4-2 19544]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-3-9 1255736]

=============== Created Last 30 ================

2010-10-13 03:04:31 -------- d-----w- C:\PROGRA~3\!SASCORE
2010-10-13 03:04:29 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2010-10-13 02:08:19 -------- d-----w- C:\Users\wkg\AppData\Roaming\SUPERAntiSpyware.com
2010-10-13 02:08:19 -------- d-----w- C:\PROGRA~3\SUPERAntiSpyware.com
2010-10-12 19:30:04 633856 ----a-w- C:\Windows\System32\comctl32.dll
2010-10-12 19:30:04 530432 ----a-w- C:\Windows\SysWow64\comctl32.dll
2010-10-12 19:30:03 738816 ----a-w- C:\Windows\SysWow64\wmpmde.dll
2010-10-12 19:30:03 148992 ----a-w- C:\Windows\System32\t2embed.dll
2010-10-12 19:30:03 109056 ----a-w- C:\Windows\SysWow64\t2embed.dll
2010-10-12 19:30:03 1024512 ----a-w- C:\Windows\System32\wmpmde.dll
2010-10-12 19:30:02 483840 ----a-w- C:\Windows\System32\StructuredQuery.dll
2010-10-12 19:30:02 363520 ----a-w- C:\Windows\SysWow64\StructuredQuery.dll
2010-10-10 13:53:17 21504 ---h--w- C:\Windows\SysWow64\hdaudio.exe
2010-10-10 13:53:17 21504 ---h--w- C:\Program Files (x86)\Common Files\dvdaudio.exe
2010-10-06 11:27:47 53248 ----a-r- C:\Users\wkg\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2010-10-06 11:27:35 -------- d-----w- C:\Windows\SysWow64\logishrd
2010-10-06 11:27:35 -------- d-----w- C:\Windows\System32\logishrd
2010-10-06 11:27:27 -------- d-----w- C:\Program Files (x86)\Common Files\LWS
2010-10-06 11:19:20 -------- d-----w- C:\Program Files\Microsoft IntelliType Pro
2010-10-06 06:18:00 -------- d-----w- C:\Users\wkg\AppData\Roaming\mIRC
2010-10-06 06:17:09 -------- d-----w- C:\Invision
2010-10-06 05:20:43 -------- d-----w- C:\Program Files\Microsoft Synchronization Services
2010-10-06 05:20:25 -------- d-----w- C:\Windows\PCHEALTH
2010-10-06 05:20:25 -------- d-----w- C:\Program Files\Microsoft SQL Server Compact Edition
2010-10-06 05:19:28 -------- d-----w- C:\Program Files (x86)\Microsoft Visual Studio 8
2010-10-06 05:19:06 -------- d-----w- C:\Program Files\Microsoft Analysis Services
2010-10-06 05:19:06 -------- d-----w- C:\Program Files (x86)\Microsoft Analysis Services
2010-10-06 05:18:49 -------- d-----w- C:\Users\wkg\AppData\Local\Microsoft Help
2010-09-29 07:00:36 243712 ----a-w- C:\Windows\System32\drivers\ks.sys
2010-09-29 07:00:36 184832 ----a-w- C:\Windows\System32\drivers\usbvideo.sys
2010-09-29 02:08:43 -------- d-----w- C:\Program Files (x86)\Haali
2010-09-28 23:29:29 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2010-09-28 23:29:29 2048 ----a-w- C:\Windows\System32\tzres.dll
2010-09-27 23:41:57 -------- d-----w- C:\Program Files (x86)\SlySoft
2010-09-27 18:43:12 -------- d-----w- C:\Program Files (x86)\CCleaner
2010-09-26 05:54:59 4068864 ----a-w- C:\Windows\System32\mf.dll
2010-09-26 05:53:49 -------- d-----w- C:\Program Files (x86)\Feedback Tool
2010-09-26 03:02:45 -------- d-----w- C:\Program Files (x86)\vShare
2010-09-22 18:35:24 -------- d-----w- C:\Users\wkg\AppData\Roaming\Malwarebytes
2010-09-22 18:35:20 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2010-09-22 18:35:19 24664 ----a-w- C:\Windows\System32\drivers\mbam.sys
2010-09-22 18:35:19 -------- d-----w- C:\PROGRA~3\Malwarebytes
2010-09-22 18:35:18 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2010-09-20 04:58:40 -------- d-----w- C:\Program Files (x86)\Flip Video
2010-09-16 12:09:50 38056 ------w- C:\Windows\System32\drivers\ElbyCDIO.sys
2010-09-15 21:19:55 89256 ------w- C:\Windows\SysWow64\ElbyCDIO.dll
2010-09-15 20:06:53 558592 ----a-w- C:\Windows\System32\spoolsv.exe
2010-09-14 20:04:35 -------- d-----w- C:\Users\wkg\AppData\Local\ElevatedDiagnostics

==================== Find3M ====================

2010-09-09 22:39:14 2826240 ----a-w- C:\Windows\SysWow64\GPhotos.scr
2010-09-07 22:12:17 8134344 ----a-w- C:\Program Files (x86)\Common Files\lpuninstall.exe
2010-09-01 05:12:09 12625920 ----a-w- C:\Windows\System32\wmploc.DLL
2010-09-01 04:46:36 1355264 ----a-w- C:\Windows\SysWow64\jscript9.dll
2010-09-01 04:44:32 367104 ----a-w- C:\Windows\SysWow64\html.iec
2010-09-01 04:44:30 1448448 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2010-09-01 04:44:24 1122304 ----a-w- C:\Windows\SysWow64\wininet.dll
2010-09-01 04:44:06 424960 ----a-w- C:\Windows\SysWow64\vbscript.dll
2010-09-01 04:43:22 23552 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2010-09-01 04:43:12 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2010-09-01 04:43:12 114176 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2010-09-01 04:43:10 76800 ----a-w- C:\Windows\SysWow64\SetIEInstalledDate.exe
2010-09-01 04:43:10 74752 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
2010-09-01 04:43:02 448512 ----a-w- C:\Windows\System32\html.iec
2010-09-01 04:41:56 601088 ----a-w- C:\Windows\System32\vbscript.dll
2010-09-01 04:40:56 76800 ----a-w- C:\Windows\System32\tdc.ocx
2010-09-01 04:40:40 215552 ----a-w- C:\Windows\System32\msls31.dll
2010-09-01 04:23:49 12625408 ----a-w- C:\Windows\SysWow64\wmploc.DLL
2010-09-01 02:58:34 3123712 ----a-w- C:\Windows\System32\win32k.sys
2010-08-31 04:32:30 954752 ----a-w- C:\Windows\SysWow64\mfc40.dll
2010-08-31 04:32:30 954288 ----a-w- C:\Windows\SysWow64\mfc40u.dll
2010-08-28 00:37:39 466520 ----a-w- C:\Windows\System32\wrap_oal.dll
2010-08-28 00:37:39 445016 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2010-08-28 00:37:39 123480 ----a-w- C:\Windows\System32\OpenAL32.dll
2010-08-28 00:37:39 109144 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
2010-08-27 06:14:02 236032 ----a-w- C:\Windows\System32\srvsvc.dll
2010-08-27 05:46:48 9728 ----a-w- C:\Windows\SysWow64\sscore.dll
2010-08-27 03:38:04 463360 ----a-w- C:\Windows\System32\drivers\srv.sys
2010-08-27 03:37:48 402944 ----a-w- C:\Windows\System32\drivers\srv2.sys
2010-08-27 03:37:26 161792 ----a-w- C:\Windows\System32\drivers\srvnet.sys
2010-08-21 06:36:49 340992 ----a-w- C:\Windows\System32\schannel.dll
2010-08-21 05:36:24 224256 ----a-w- C:\Windows\SysWow64\schannel.dll
2010-08-16 06:50:45 1137664 ----a-w- C:\Windows\System32\FntCache.dll
2010-08-16 06:50:43 1543168 ----a-w- C:\Windows\System32\DWrite.dll
2010-08-16 06:50:42 899072 ----a-w- C:\Windows\System32\d2d1.dll
2010-08-16 06:50:42 320512 ----a-w- C:\Windows\System32\d3d10_1core.dll
2010-08-16 06:50:42 1844224 ----a-w- C:\Windows\System32\d3d10warp.dll
2010-08-16 06:14:36 1076224 ----a-w- C:\Windows\SysWow64\DWrite.dll
2010-08-16 06:14:24 737280 ----a-w- C:\Windows\SysWow64\d2d1.dll
2010-08-16 06:14:24 218624 ----a-w- C:\Windows\SysWow64\d3d10_1core.dll
2010-08-16 06:14:24 1172480 ----a-w- C:\Windows\SysWow64\d3d10warp.dll
2010-08-10 04:32:54 256 ----a-w- C:\Windows\SysWow64\pool.bin
2010-08-05 22:40:44 15314024 ----a-w- C:\Windows\System32\nvcpl.dll
2010-08-05 22:40:44 116328 ----a-w- C:\Windows\System32\nvmctray.dll
2010-08-05 22:40:42 1585256 ----a-w- C:\Windows\System32\nvsvc64.dll
2010-08-05 22:40:40 1882216 ----a-w- C:\Windows\System32\nvsvcr.dll
2010-08-05 22:40:40 159336 ----a-w- C:\Windows\System32\nvvsvc.exe
2010-07-29 06:30:34 82944 ----a-w- C:\Windows\SysWow64\iccvid.dll
2010-07-27 19:18:04 163696 ----a-w- C:\Windows\GFIBckHUnwise.EXE
2010-07-27 12:14:12 539232 ----a-w- C:\Windows\SysWow64\LVUI2RC.dll
2010-07-27 12:14:00 543328 ----a-w- C:\Windows\SysWow64\LVUI2.dll
2010-07-27 12:13:50 559712 ----a-w- C:\Windows\System32\LVUIRC64.dll
2010-07-27 12:13:04 771168 ----a-w- C:\Windows\System32\LVUI64.dll
2010-07-27 12:08:58 269408 ----a-w- C:\Windows\System32\lvco1311021.dll
2010-07-27 12:08:22 398432 ----a-w- C:\Windows\System32\lvcod64.dll
2010-07-27 12:07:56 416352 ----a-w- C:\Windows\SysWow64\lvcodec2.dll
2010-07-27 12:03:20 10829656 ----a-w- C:\Windows\SysWow64\LogiDPP.dll
2010-07-27 12:03:20 10829656 ----a-w- C:\Windows\System32\LogiDPP.dll
2010-07-27 12:03:20 102744 ----a-w- C:\Windows\SysWow64\LogiDPPApp.exe
2010-07-27 12:03:20 102744 ----a-w- C:\Windows\System32\LogiDPPApp.exe
2010-07-27 12:03:18 290648 ----a-w- C:\Windows\SysWow64\DevManagerCore.dll
2010-07-27 12:03:18 290648 ----a-w- C:\Windows\System32\DevManagerCore.dll

============= FINISH: 15:33:23.92 ===============


BC AdBot (Login to Remove)

 


#2 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:03 PM

Posted 20 October 2010 - 01:35 PM

Hi krom, and welcome to Bleeping Computer.

Certainly, these two files look suspicious:
2010-10-10 13:53:17 21504 ---h--w- C:\Windows\SysWow64\hdaudio.exe
2010-10-10 13:53:17 21504 ---h--w- C:\Program Files (x86)\Common Files\dvdaudio.exe


Please plug your infected drive (Kingston) in (and make sure it's visible in Windows under L:\) and run this scan (please attach both logs generated!):

Download OTL.exe by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe.
  • In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold:

    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    dir /a:h C:\ /c
    dir /a:h D:\ /c
    dir /a:h L:\ /c
    type L:\autorun.inf /c
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Click Run Scan and let the program run uninterrupted.
  • When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Post both logs in this thread.
  • You may need to use two posts to get it all.

c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#3 krom

krom
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 20 October 2010 - 07:40 PM

Hi,
Thanks for getting to this post, but I could not wait. Format, reinstall took care of this problem. I honestly wish I could've waited because it would've been very interesting to know more about this thing and how to get rid of it. But alas, 7 days was just too much of a stretch, I had to nuke this bugger and move on.
Thanks again for your help.

#4 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:03 PM

Posted 21 October 2010 - 09:59 AM

Hi again krom!!.. :)

Thanks for an update... Now you know you've got a clean system... :thumbup2:
We do have a limited number of Helpers (volunteers) and hundreds of logs to do - this means at least one week of waiting...

I've not encountered this infection before, and judging by Google search results, it is pretty rare... Anyway, if you still have that removable device (Kingston), I suggest you either format it as well or delete those suspicious files on it (note: you'll probably need to unhide hidden files on your computer to do this: How to show hidden files in Windows 7):

10/10/2010 09:55 AM 21,504 autorun.exe
10/13/2010 04:04 PM 176 autorun.inf


If there are no more problems or questions, I'll close the thread...
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#5 krom

krom
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:03 AM

Posted 21 October 2010 - 11:41 AM

Hi snemelk,

Yeah, you guys have quite a workload to get through, I understand the wait time.
It does seem like this was a rare type of infestation, I found very little information about it, in fact I found no information about this specific case, just info about some of the characteristics of it. A strange case indeed.
I've formatted all the removable USB drives I have, and also did a dir /ah on all my drives just to make sure there's no chance of this thing hanging around.
So, go ahead and close this thread, it's been taken care of :rip:

Thanks again for your help, have a good one! :thumbsup:

#6 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:03 PM

Posted 21 October 2010 - 12:13 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, just send me a PM (Send message from my profile) with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users