Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit?


  • This topic is locked This topic is locked
24 replies to this topic

#1 kpankov

kpankov

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 26 January 2011 - 10:42 PM

Hi,

About a month ago, I received a "Generic Host Process for Win32 Services" Error. I posted my problem in the "Am I infected? What do I do?" section here: http://www.bleepingcomputer.com/forums/topic366859.html/page__p__2057779#entry2057779 I found out that I had been infected with a rootkit.

I ended up using Malwarebytes' Anti-Malware,TDSSKiller, and the Eset Online Anti-Virus Scanner, as instructed by the moderator who helped me. I then used Autoruns to get rid of a new error message that I was receiving, apparently caused by the actual virus being deleted, but the program that started the virus remaining on my computer. After this, my computer was running fine with no problems for about a month.

About 3 days ago, I received the same original "Generic Host Process for Win32 Services" Error. I followed the same steps as before, but after my computer was left on for a while, 2 new error messages appeared.

One says that a program called "wrt.exe" has crashed, and I am asked if I want to send an error report or not. The other message says ""The application failed to initialize properly (0xc0000142). Click on OK to terminate." The blue bar at the top of the window says "at.exe - Application Error". Whenever I click on OK, or just click on the close button, the same message pops up again.

I ran all the same programs that I listed above, but no infections were found. However, oddly enough, now the "wrt.exe" message does not show up. It is just the other "(0xc0000142)" message that pops up after my computer has been left on for a while.

Here is my DDS Log:


DDS (Ver_10-12-12.02) - NTFSx86
Run by Owner at 16:18:37.07 on 26/01/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.209 [GMT -5:00]

AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\PROGRA~1\WI9130~1\Datamngr\DATAMN~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\TEMP\Google Toolbar\gtb12.tmp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Megaupload\Mega Manager\MegaManager.exe
C:\Program Files\Cobian Backup 8\Cobian.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.searchqu.com/sidebar.html?src=ssb&sysid=403
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Searchqu Toolbar: {7ff99715-3016-4381-84ce-e4e4c9673020} - c:\progra~1\wi9130~1\toolbar\SearchquDx.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Ask Toolbar BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: Megaupload Toolbar: {a057a204-bacc-4d26-c39e-35f1d2a32ec8} - c:\progra~1\megaup~1\MEGAUP~1.DLL
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Searchqu Toolbar: {7ff99715-3016-4381-84ce-e4e4c9673020} - c:\progra~1\wi9130~1\toolbar\SearchquDx.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [HDAudDeck] c:\program files\via\viaudioi\hdadeck\HDeck.exe 1
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask .exe" -atboottime
mRun: [DATAMNGR] c:\progra~1\wi9130~1\datamngr\DATAMN~1.EXE
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [!SearchquFF] RUNDLL32.EXE c:\windows\temp\search~1\INSTAL~1.DLL,_SetFFAssets http://www.searchqu.com/403,Web Search,WebSearch,http://www.searchqu.com/web?src=ffb&systemid=403&q=,
dRunOnce: [jIdCgNi05200] c:\documents and settings\all users\application data\jidcgni05200\jIdCgNi05200.exe
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: Download Link Using Mega Manager... - c:\program files\megaupload\mega manager\mm_file.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
Trusted Zone: kuaiche.com\software
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1220804705734
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\wi9130~1\datamngr\datamngr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\sgrnindh.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://ca.search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Hide My IP: staff@hide-my-ip.com - c:\program files\mozilla firefox\extensions\staff@hide-my-ip.com
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Megaupload Toolbar: {991A772A-BA13-4c1d-A9EF-F897F31DEC7D} - %profile%\extensions\{991A772A-BA13-4c1d-A9EF-F897F31DEC7D}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Mega Manager Integration: {40a1f5d7-afc2-498f-b264-02668d616ff6} - %profile%\extensions\{40a1f5d7-afc2-498f-b264-02668d616ff6}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg8\Firefox
FF - Ext: AVG Security Toolbar em:version=6.010.006.004 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\avg\avg8\toolbar\firefox\avg@igeared
FF - Ext: XULRunner: {E7049F83-3427-452F-99EF-518A5550AE6A} - c:\documents and settings\owner\local settings\application data\{E7049F83-3427-452F-99EF-518A5550AE6A}
FF - Ext: Veoh Web Player Video Finder: web@veoh.com - c:\program files\veoh networks\veohwebplayer\FFVideoFinder

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-6 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-6 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-6 108552]
R1 pfmfs_27B;pfmfs_27B;c:\windows\system32\drivers\pfmfs_27B.sys [2010-4-25 179896]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-12-16 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-12-16 74480]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-8-17 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-2 297752]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-12-20 54752]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-12-16 7408]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2008-8-12 215936]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg8\toolbar\ToolbarBroker.exe [2010-10-26 517448]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]

=============== Created Last 30 ================

2011-01-26 21:05:32 -------- d-----w- c:\program files\Cobian Backup 8
2011-01-24 03:42:04 -------- d-----w- c:\docume~1\alluse~1\applic~1\jIdCgNi05200
2011-01-23 05:45:17 -------- d-----w- c:\program files\Combined Community Codec Pack
2011-01-23 04:08:49 86 ----a-w- C:\asdfasfas.bat

==================== Find3M ====================

2010-12-14 21:36:45 0 ----a-w- c:\windows\Xdemev.bin
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-05 05:05:36 667136 ----a-w- c:\windows\system32\wininet.dll
2010-11-05 05:05:36 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-11-05 05:05:35 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-11-03 12:59:07 369664 ----a-w- c:\windows\system32\html.iec

============= FINISH: 16:18:53.57 ===============

I also attached the Attach.txt and the ark.txt files.

I only had trouble with the first step of the Preparation Guide, backing up my data. I used Cobian Backup, and when I tried to start the backup process, it said that it encountered an error and cannot continue. However, I do not really have any important information on this computer, and am fine with going on without creating backup data. However, if you believe that it is completely necessary, I'd be willing to try again, perhaps with a different backup progam.

Thank you for taking the time to look at this post and help me get rid of this problem. I really appreciate it.

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:49 AM

Posted 31 January 2011 - 03:18 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks and again sorry for the delay.


Regards,
Georgi :hello:

cXfZ4wS.png


#3 kpankov

kpankov
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 01 February 2011 - 04:02 PM

Hi,

Unfortunately, I do not have the Windows CD/DVD. Below is a description of my problem. It has changed a bit since my first post.

About a month ago, I received a "Generic Host Process for Win32 Services" Error. I posted my problem in the "Am I infected? What do I do?" section here: http://www.bleepingcomputer.com/forums/topic366859.html/page__p__2057779#entry2057779 I found out that I had been infected with a rootkit.

I ended up using Malwarebytes' Anti-Malware,TDSSKiller, and the Eset Online Anti-Virus Scanner, as instructed by the moderator who helped me. I then used Autoruns to get rid of a new error message that I was receiving, apparently caused by the actual virus being deleted, but the program that started the virus remaining on my computer. After this, my computer was running fine with no problems for about a month.

About 3 days ago, I received the same original "Generic Host Process for Win32 Services" Error. I followed the same steps as before, but after my computer was left on for a while, 2 new error messages appeared.

One says that a program called "wrt.exe" has crashed, and I am asked if I want to send an error report or not. The other message says ""The application failed to initialize properly (0xc0000142). Click on OK to terminate." The blue bar at the top of the window says "at.exe - Application Error". Whenever I click on OK, or just click on the close button, the same message pops up again.

I ran all the same programs that I listed above, but no infections were found. However, oddly enough, now the "wrt.exe" message does not show up. It is just the other "(0xc0000142)" message that pops up after my computer has been left on for a while.

Now, a new error message also pops up when I turn on my computer. It says that "winlogon.exe" has crashed. The above problem still occurs too.

Here is the new DDS log:


DDS (Ver_10-12-12.02) - NTFSx86
Run by Owner at 15:05:06.18 on 01/02/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.475 [GMT -5:00]

AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system\dwm.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\PROGRA~1\WI9130~1\Datamngr\DATAMN~1.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Owner\Desktop\stuff\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.searchqu.com/sidebar.html?src=ssb&sysid=403
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Searchqu Toolbar: {7ff99715-3016-4381-84ce-e4e4c9673020} - c:\progra~1\wi9130~1\toolbar\SearchquDx.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Ask Toolbar BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: Megaupload Toolbar: {a057a204-bacc-4d26-c39e-35f1d2a32ec8} - c:\progra~1\megaup~1\MEGAUP~1.DLL
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Searchqu Toolbar: {7ff99715-3016-4381-84ce-e4e4c9673020} - c:\progra~1\wi9130~1\toolbar\SearchquDx.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [HDAudDeck] c:\program files\via\viaudioi\hdadeck\HDeck.exe 1
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask .exe" -atboottime
mRun: [DATAMNGR] c:\progra~1\wi9130~1\datamngr\DATAMN~1.EXE
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [!SearchquFF] RUNDLL32.EXE c:\windows\temp\search~1\INSTAL~1.DLL,_SetFFAssets http://www.searchqu.com/403,Web Search,WebSearch,http://www.searchqu.com/web?src=ffb&systemid=403&q=,
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
Trusted Zone: kuaiche.com\software
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1220804705734
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 93.188.163.122,93.188.160.72
TCP: {270EFDFD-F30B-4320-8424-6B5C60323696} = 93.188.163.122,93.188.160.72
TCP: {5C143F85-66F8-44AE-99F8-A46AB72F7609} = 93.188.163.122,93.188.160.72
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\docume~1\owner\locals~1\temp\kzqs.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\sgrnindh.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-6 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-6 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-6 108552]
R1 pfmfs_27B;pfmfs_27B;c:\windows\system32\drivers\pfmfs_27B.sys [2010-4-25 179896]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-12-16 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-12-16 74480]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-8-17 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-2 297752]
R2 darkness;IpSectPro service;c:\windows\system\dwm.exe [2011-1-31 77312]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-12-20 54752]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-12-16 7408]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2008-8-12 215936]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg8\toolbar\ToolbarBroker.exe [2010-10-26 517448]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]

=============== Created Last 30 ================

2011-02-01 02:06:01 -------- d-----w- c:\program files\Runtime Software
2011-01-31 23:28:50 77312 ----a-w- c:\windows\system\dwm.exe
2011-01-30 01:12:08 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\Temp
2011-01-26 21:05:32 -------- d-----w- c:\program files\Cobian Backup 8
2011-01-24 03:42:04 -------- d-----w- c:\docume~1\alluse~1\applic~1\jIdCgNi05200
2011-01-23 05:45:17 -------- d-----w- c:\program files\Combined Community Codec Pack
2011-01-23 04:08:49 86 ----a-w- C:\asdfasfas.bat

==================== Find3M ====================

2010-12-14 21:36:45 0 ----a-w- c:\windows\Xdemev.bin
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-05 05:05:36 667136 ----a-w- c:\windows\system32\wininet.dll
2010-11-05 05:05:36 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-11-05 05:05:35 81920 ----a-w- c:\windows\system32\ieencode.dll

============= FINISH: 15:05:46.84 ===============

I have also attached the new Attach.txt and ark.txt files.

Though I had problems with Cobian Backup, I did create backup data using DriveImage XML, and I transferred the backup data to an external hard drive.

Any CD Emulation programs have been disabled.

Thanks for your help. I'll wait for further instructions.

Attached Files



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:49 AM

Posted 01 February 2011 - 04:53 PM

Hi kpankov and :welcome:


I will be handling your log to help you get cleaned up.
Please give me some time to look it over and I will get back to you as soon as possible.


Regards,
Georgi :hello:

cXfZ4wS.png


#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:49 AM

Posted 01 February 2011 - 07:15 PM

Hello kpankov ! Welcome to BleepingComputer Forums! :welcome:


My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.



You will need to uninstall AVG before continuing with the below.
Due to recent changes in how AVG target the tool's internal files, AVG must be uninstalled before running ComboFix.
Don't worry - we will reinstall it at the end of the cleaning process.



Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

AVG

Additional instructions can be found here if needed.



IMPORTANT NOTE !!!

Now please do this to clean all leftovers from AVG.


Please download Appremover from the link below:
http://www.appremover.com/get/appremover.exe
Double click on AppRemover.exe to run it.
Uncheck "Enable anonymous usage statistics. No personal data will be recorded."
Click on the Next button.
Click on Clean Up a Failed Uninstall
Click on the Next button.
A scan begins, please wait. Once done, click on the Next button.
Now you should have a list of your installed programs, choose AVG (if exist) and click on the Next button.
Follow the last step and reboot if asked to do so.



Next please do this:



Please download ComboFix from the link below:

Combofix

Save it to your Desktop <-- Important!!!

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click it & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply



Regards,
Georgi :hello:

Edited by B-boy/StyLe/, 01 February 2011 - 07:31 PM.

cXfZ4wS.png


#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:49 AM

Posted 01 February 2011 - 07:48 PM

By the way...since I edited my previous post (I added a download link to appremover.exe) please take a look at the at the instruction for uninstall AVG again just in case.
Sorry about that.


Here is 2.47 am so I'll get some sleep.
See ya tomorrow as I'm very tired and I might just fall asleep during typing..stay tuned. :wink:


Regards,
Georgi :hello:

Edited by B-boy/StyLe/, 01 February 2011 - 07:50 PM.

cXfZ4wS.png


#7 kpankov

kpankov
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 01 February 2011 - 09:14 PM

Hi,

First of all, thanks for helping me out.

I went through all the steps, but I had a couple problems at first.

The first time I tried to run ComboFix, I received three messages, "pev.exe" has crashed, "PEV.exe" has crashed, and then "pev.exe" has crashed again. After these, ComboFix looked like it was going to start, but I received another message "PEV.cfxxe" has crashed. ComboFix did not work after this. I realized that I had disabled the Internet, so I restarted, enabled the Internet connection, tried again, and it worked.

Then, while the scan was going, I received a message that said "System Shutdown" and it said that the computer will shut down in 60 seconds. There was a timer counting down from 60 seconds. It said something similar to "This has been authorized by NT AUTHORITY/system." It might have been a \ instead of a / though, I'm not too sure because the computer restarted after 60 seconds. After it restarted, I tried running ComboFix again, and this time it finished the scan without any problems.

I have attached the C:\ComboFix.txt file.

Also, on a side note, there was something I forgot to mention in my earlier post. There were some websites, a good example being http://www.wikipedia.org/ that worked normally on other computers, but did not work on the infected one. Whenever I tried to access it, it said "Cannot find server." However, after running ComboFix, it seems that the problem is not only fixed, but my Firefox browser (the Internet browser that I always use) has been updated to a newer, or at least different, version. I'm not sure why this happened. Was it because of ComboFix or some other program I ran?

Anyway, I hope to hear from you soon.

Attached Files



#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:49 AM

Posted 02 February 2011 - 09:40 AM

Hi kpankov, :)



Yes, it's possible that you are able to access Wikipedia and to update Mozilla due to the fact that Combofix removed some malicious files &b registry settings.



It would be extremely helpful if you could please post the logs instead of attaching them. If I ask for a specific log to be attached then that's fine, but it's a lot easier to work with the logs when they are posted to this thread instead of being attached.



Azureus warning !!



Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case Azureus). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."


Also, please take a look here:

How cyber criminals infect victims via P2P with pirated software



AskBar Warning !!



I see you have the AskBar toolbar installed. This often comes bundled with spyware and is recommended you remove.

Please see here for more information:
http://www.bleepingcomputer.com/uninstall/94/Ask-Toolbar.html

If you would like to remove it, please go to add/Remove Programs and uninstall it.



Windows Searchqu Toolbar Warning !!



Combofix already removed it, but please check if the entry still exist in the add/Remove Programs and if so uninstall it.
More information to see why I suggest to uninstall it can be found here => http://www.systemlookup.com/CLSID/70823-SearchquDx_dll.html



Now please navigate to C:\asdfasfas.bat
Right click on the batch file and select Edit. (Do not run the file <-- IMPORTANT!!)
That will open up notepad. Copy and paste its content in your next reply.



Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Virustotal

When the Virustotal page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\wmplay\wmplay.exe

note, if VT says these files have already been analysed, make sure you click re-analyse file now.

Please post back the results of the scan in your next post.

If Virustotal is busy, try the same at Virscan: http://virscan.org/



Finally please do this:


Delete your copy of Combofix and download a fresh one from here.

Save it your desktop but do not run it yet ! <--- important !!!



We need to execute a CFScript to clean some remnants.

Please do this:


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

2. Open notepad => navigate to format and make sure that wordwrap is unchecked. <--- important !!!

3. Copy/paste the text in the codebox below into it:

KILLALL::
Folder::
c:\windows\TEMP\SEARCH~1
Dirlook::
c:\documents and settings\All Users\Application Data\jIdCgNi05200
RenV::
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\AVG\AVG8\avgtray .exe
c:\program files\Common Files\Ahead\Lib\NeroCheck .exe
c:\program files\FlashGet\FlashGet .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\QuickTime\QTTask .exe
c:\windows\system32\rundll32 .exe
Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"!SearchquFF"=-
DDS::
Trusted Zone: kuaiche.com\software

4. Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

5. Close any open browsers.

6. Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Also reply back to let me know how things are going.



Regards,
Georgi

cXfZ4wS.png


#9 kpankov

kpankov
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 02 February 2011 - 02:14 PM

Hi,

Sorry about the attached file, I thought that's what you wanted me to do. I'll try not to do it again.

Yeah, I know about Azureus. This computer is used by multiple people in the house, so I'll show them all the sites you linked to and make sure they understand how dangerous it is.

I uninstalled the AskBar toolbar.

It did not find Windows Searchqu Toolbar, so I guess it was already deleted.

This is the text from the C:\asdfasfas.bat file:

:huytam
del "C:\WINDOWS\TEMP\jh.exe"
if exist "C:\WINDOWS\TEMP\jh.exe" goto huytam

I made all hidden files viewable by following the steps.

When I selected browse in Virustotal, I could not find the c:\wmplay\wmplay.exe file. I even ran a computer search for this file, but it did not find anything. What should I do?

#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:49 AM

Posted 02 February 2011 - 04:56 PM

Hello kpankov, :)



Please skip the VT step and proceed with my latest instructions by creating a CFScript file to drag on the combifix icon.
Post the log in your next reply.


Regards,
Georgi

cXfZ4wS.png


#11 kpankov

kpankov
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 02 February 2011 - 05:42 PM

Hi,

I finished the last step. Here is the new log:

ComboFix 11-01-31.02 - Owner 02/02/2011 17:30:00.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.599 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2011-01-02 to 2011-02-02 )))))))))))))))))))))))))))))))
.

2011-02-01 02:06 . 2011-02-01 02:06 -------- d-----w- c:\program files\Runtime Software
2011-01-30 01:12 . 2011-01-30 01:14 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp
2011-01-26 21:05 . 2011-01-26 21:06 -------- d-----w- c:\program files\Cobian Backup 8
2011-01-24 03:42 . 2011-01-26 23:00 -------- d-----w- c:\documents and settings\All Users\Application Data\jIdCgNi05200
2011-01-23 16:54 . 2011-01-23 16:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-01-23 05:45 . 2011-01-23 05:45 -------- d-----w- c:\program files\Combined Community Codec Pack
2011-01-23 04:08 . 2011-01-24 03:43 86 ----a-w- C:\asdfasfas.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-01 20:03 . 2008-04-14 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2010-12-20 23:09 . 2009-12-24 17:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2009-12-24 17:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-18 18:12 . 2008-08-12 14:52 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2008-04-14 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-05 05:05 . 2008-04-14 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-11-05 05:05 . 2008-04-14 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-11-05 05:05 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\jIdCgNi05200 ----

2011-01-24 03:42 . 2011-01-24 03:51 94 ----a-w- c:\documents and settings\All Users\Application Data\jIdCgNi05200\jIdCgNi05200


((((((((((((((((((((((((((((( SnapShot@2011-02-02_01.52.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-02-02 22:33 . 2011-02-02 22:33 16384 c:\windows\temp\Perflib_Perfdata_738.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{4BBAAAE9-0004-4000-9AA5-1BBD98C86E9B}]
@="{4BBAAAE9-0004-4000-9AA5-1BBD98C86E9B}"
[HKEY_CLASSES_ROOT\CLSID\{4BBAAAE9-0004-4000-9AA5-1BBD98C86E9B}]
2009-03-06 03:17 143160 ----a-w- c:\windows\system32\pfmshx_27B.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-14 68856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-04-03 3558648]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-16 2002160]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2011-01-30 136176]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask .exe -atboottime" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-01-14 29753344]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTyrant\\Azureus.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 pfmfs_27B;pfmfs_27B;c:\windows\system32\drivers\pfmfs_27B.sys [25/04/2010 9:23 AM 179896]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [16/12/2009 4:26 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [16/12/2009 4:26 PM 74480]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/12/2009 4:27 PM 7408]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [12/08/2008 10:09 AM 215936]
.
Contents of the 'Scheduled Tasks' folder

2011-01-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]

2011-02-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-1060284298-1417001333-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-30 01:12]

2011-02-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-1060284298-1417001333-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-30 01:12]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\sgrnindh.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Hide My IP: staff@hide-my-ip.com - c:\program files\Mozilla Firefox\extensions\staff@hide-my-ip.com
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Megaupload Toolbar: {991A772A-BA13-4c1d-A9EF-F897F31DEC7D} - %profile%\extensions\{991A772A-BA13-4c1d-A9EF-F897F31DEC7D}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Mega Manager Integration: {40a1f5d7-afc2-498f-b264-02668d616ff6} - %profile%\extensions\{40a1f5d7-afc2-498f-b264-02668d616ff6}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Veoh Web Player Video Finder: web@veoh.com - c:\program files\Veoh Networks\VeohWebPlayer\FFVideoFinder
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-DATAMNGR - c:\progra~1\WI9130~1\Datamngr\DATAMN~1.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-02 17:33
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwEnumerateValueKey, ZwQueryDirectoryFile

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
wmplay.exe = c:\wmplay\wmplay.exe

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wmplay.exe"="c:\\wmplay\\wmplay.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(796)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(128)
c:\program files\SUPERAntiSpyware\SASSEH.DLL
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
.
**************************************************************************
.
Completion time: 2011-02-02 17:36:33 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-02 22:36
ComboFix2.txt 2011-02-02 01:55

Pre-Run: 27,873,898,496 bytes free
Post-Run: 27,864,690,688 bytes free

- - End Of File - - 2AAF590D205FCDFA9956C5410744C8BA

Also, you asked me to let you know how things are going. I've left the computer on all day today, and so far, I have not encountered any problems.

#12 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:49 AM

Posted 04 February 2011 - 05:02 AM

Hi kpankov, :)



Sorry for the delay !
I was swamped with work yesterday.



We need to run another CFScript:


Delete your copy of Combofix and download a fresh one from here.

Save it your desktop but do not run it yet ! <--- important !!!



We need to execute a CFScript to clean some remnants.

Please do this:


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

2. Open notepad => navigate to format and make sure that wordwrap is unchecked. <--- important !!!

3. Copy/paste the text in the codebox below into it:

KILLALL::
File::
C:\asdfasfas.bat
C:\WINDOWS\TEMP\jh.exe
c:\wmplay\wmplay.exe
Folder::
c:\documents and settings\All Users\Application Data\jIdCgNi05200
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wmplay.exe"=-

4. Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

5. Close any open browsers.

6. Referring to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Regards,
Georgi

cXfZ4wS.png


#13 kpankov

kpankov
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 04 February 2011 - 05:19 PM

Hi,

When I first tried this, it seemed like ComboFix had frozen after it said "Completed Stage 50." Nothing happened for more than half an hour, so I closed ComboFix, deleted it, restarted the computer and redid the step. This time it worked with no problems. Here is the log:

ComboFix 11-01-31.02 - Owner 04/02/2011 17:06:14.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.643 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

FILE ::
"C:\asdfasfas.bat"
"c:\windows\TEMP\jh.exe"
"c:\wmplay\wmplay.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\asdfasfas.bat
c:\documents and settings\All Users\Application Data\jIdCgNi05200
c:\documents and settings\All Users\Application Data\jIdCgNi05200\jIdCgNi05200
c:\wmplay\wmplay.exe

.
((((((((((((((((((((((((( Files Created from 2011-01-04 to 2011-02-04 )))))))))))))))))))))))))))))))
.

2011-02-03 03:18 . 2011-02-03 03:18 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-02-03 03:18 . 2011-02-03 03:18 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-02-01 02:06 . 2011-02-01 02:06 -------- d-----w- c:\program files\Runtime Software
2011-01-30 01:12 . 2011-01-30 01:14 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp
2011-01-26 21:05 . 2011-01-26 21:06 -------- d-----w- c:\program files\Cobian Backup 8
2011-01-23 16:54 . 2011-01-23 16:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-01-23 05:45 . 2011-01-23 05:45 -------- d-----w- c:\program files\Combined Community Codec Pack

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-01 20:03 . 2008-04-14 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2010-12-20 23:09 . 2009-12-24 17:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2009-12-24 17:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-18 18:12 . 2008-08-12 14:52 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2008-04-14 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
.

((((((((((((((((((((((((((((( SnapShot@2011-02-02_01.52.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-02-04 22:10 . 2011-02-04 22:10 16384 c:\windows\temp\Perflib_Perfdata_744.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{4BBAAAE9-0004-4000-9AA5-1BBD98C86E9B}]
@="{4BBAAAE9-0004-4000-9AA5-1BBD98C86E9B}"
[HKEY_CLASSES_ROOT\CLSID\{4BBAAAE9-0004-4000-9AA5-1BBD98C86E9B}]
2009-03-06 03:17 143160 ----a-w- c:\windows\system32\pfmshx_27B.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-14 68856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-04-03 3558648]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-16 2002160]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2011-01-30 136176]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask .exe -atboottime" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-01-14 29753344]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTyrant\\Azureus.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 pfmfs_27B;pfmfs_27B;c:\windows\system32\drivers\pfmfs_27B.sys [25/04/2010 9:23 AM 179896]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [16/12/2009 4:26 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [16/12/2009 4:26 PM 74480]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [16/12/2009 4:27 PM 7408]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [12/08/2008 10:09 AM 215936]
.
Contents of the 'Scheduled Tasks' folder

2011-01-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]

2011-02-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-1060284298-1417001333-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-30 01:12]

2011-02-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-1060284298-1417001333-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-30 01:12]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\sgrnindh.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://ca.search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Hide My IP: staff@hide-my-ip.com - c:\program files\Mozilla Firefox\extensions\staff@hide-my-ip.com
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Megaupload Toolbar: {991A772A-BA13-4c1d-A9EF-F897F31DEC7D} - %profile%\extensions\{991A772A-BA13-4c1d-A9EF-F897F31DEC7D}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Veoh Web Player Video Finder: web@veoh.com - c:\program files\Veoh Networks\VeohWebPlayer\FFVideoFinder
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-wmplay.exe - c:\wmplay\wmplay.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-04 17:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(800)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
.
**************************************************************************
.
Completion time: 2011-02-04 17:13:30 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-04 22:13
ComboFix2.txt 2011-02-02 22:36
ComboFix3.txt 2011-02-02 01:55

Pre-Run: 27,882,545,152 bytes free
Post-Run: 27,871,567,872 bytes free

- - End Of File - - 0A6F3793E185A3F66C9847D989904F96

#14 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:49 AM

Posted 06 February 2011 - 05:47 AM

Hi kpankov, :)


Sorry for the delay again.


It's now safe to re-install your preferred antivirus.
If you like AVG let it be AVG.
Download and install the latest version from the link below:
http://free.avg.com/us-en/download-free-antivirus

Make sure that you keep your antivirus updated.
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
Note:
You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.





Let's do some updating tasks to improve your PC security.



Update Adobe Reader



Your Adobe Reader is out of date.
Older versions may have vulnerabilities that malware can use to infect your system.
Please download Adobe Reader X to your PC's desktop.

* Uninstall Adobe Reader 9.1 via Start => Control Panel > Add/Remove Programs
* Install the new downloaded updated software.


Note: Note that the McAfee Security scan is prechecked. You may wish to uncheck it before downloading.
Posted Image


Note: Adobe Reader X is a large program and if you prefer a smaller program you can get Foxit Reader 4 x instead.

Foxit Reader 4x offer 5 levels of security. Click Me for more information.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.



Update Java



Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java SE Runtime Environment 6u23 and save it to your desktop.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

Java™ 6 Update 11
Java™ 6 Update 4
Java™ 6 Update 7


  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u23-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.



Your Mozilla Firefox is out of date!
You can download and install the latest version 3.6.13 from here if you want.
I highly recommend to do a backup of your existing profile using Mozbackup or FEBE before you proceed with the update.



It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.





  • I see you have Malwarebytes' Anti-Malware installed on your computer.
  • Please start the application by double-click on it's icon.
  • Once the program has loaded go to the UPDATE tab and check for updates.
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Please save it to a convenient location and post the results in your next reply.





Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.


  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.



Regards,
Georgi

cXfZ4wS.png


#15 kpankov

kpankov
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 06 February 2011 - 06:20 PM

Hi,

I went through all of the steps, until I had to use the Kaspersky WebScanner. While it was downloading the latest program and definition files (after I first pressed Accept) I received this message:

Update has failed The program could not be started. Please close the window of Kaspersky Online Scanner 7.0 and start the program again from the web site of Kaspersky Lab.

Successful updating of Kaspersky Online Scanner 7.0 and scanning of your computer requires uninterrupted Internet connection. Please make sure that the Internet connection is established. [ERROR: License has expired]


During the scan, my Internet was always connected. When I tried to start it again, it wouldn't even start downloading the files, the above error message would just pop up right away. However, it was taking a really long time the first time I used it, and it says "License has expired" so I think maybe I'll have to try some other time, maybe the next day.

Anyway, here's the Malwarebytes' Anti-Malware log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5694

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

06/02/2011 2:34:08 PM
mbam-log-2011-02-06 (14-34-08).txt

Scan type: Quick scan
Objects scanned: 139739
Time elapsed: 3 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

As you can see, there were no malicious items detected.

Please let me know what to do next. Thanks a lot.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users