Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I am Infected computer has a mind of it's own


  • This topic is locked This topic is locked
21 replies to this topic

#1 Dave Clark

Dave Clark

  • Members
  • 215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tenerife
  • Local time:07:31 PM

Posted 10 April 2011 - 02:37 PM

Hi, Sorry to be so pesimistic but I've been trying all day to post this message,
Im running XP Pro and my problem started with my Avira A/V prog being disabled together with other A/V progs.
I tried running spybot when my Avira program would not respond only for it to report as follows:-

Smithfraud-C [204 - $A031DD74] Access violation at address 03D641AC in module 'Chai.dll Read of address 0000000E)
Win32 Agent deot [1 - $D88DB90E] (Access violation at address 03D641AC in module 'Chai.dll Read of address 0000000E)
Win32 TDSS.rtk [564 - $E496DFD0] (Access violation at address 03D6BBCB0 in module 'Chai.dll Read of address 0000001C)
Win32.TDSS.rtk [564 - $E496DFD0] (Access violation at address 00000000. Read of address 00000000)
Win32.TDSS.rtk [1487 - $F511A776] (Access violation at address 00000000. Read of address 00000000)
Win32.ZBot [333 - $AF70FA22] (Access violation at address 03D64E7E in Module 'Chai.dll' Read of address 00000006)

I then tried to run MBAM but the program just hung after about 15 mins.
Then I removed Avira and downloaded a new copy and installed then ran it but it didn't run as normal and finished in about 15 mins instead of the normal 1hr +, and it reported no problems.

I have been disconnected from the internet 3 times but only the computer as the laptop etc is still connected, I had to reboot each time to get the internet back.

I have many problems but I am just going to upload the DDS & GMER logs as I could be disconnected before I have time. Please Respond ASAP.

regards,

Dave

DDS (Ver_11-03-05.01) - NTFSx86
Run by Anyone at 10:04:33.73 on 10/04/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1299 [GMT 1:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: AVG Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Vtune\TBPanel.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Cordless USB Phone\Cordless DUALphone Suite.exe
C:\Program Files\Power Translator 11\LogoMedia TranslateDotNet Server.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\SAgent4.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Telefonica\bin\tgsrvc.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Raxco\PerfectDisk\PDAgentS1.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Anyone\Desktop\Computer Help 13-05-10\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: LEC: {1dbab667-a486-421e-afe4-cf07dd0088e5} - c:\program files\power translator 11\applications\LEC IE Translation Extension.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Opware15] "c:\program files\scansoft\omnipage15.0\Opware15.exe"
mRun: [Gainward] c:\program files\vtune\TBPanel.exe /A
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\anyone\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\anyone\startm~1\programs\startup\SHORTC~1.LNK -
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cordle~1.lnk - c:\program files\cordless usb phone\Cordless DUALphone Suite.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: Open with Scansoft PDF Converter 3.0 - c:\program files\scansoft\omnipage15.0\pdfconverter3\IEShellExt.dll /100
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://web.atar.rima-tde.net/sdccommon/download/tgctlcm.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1277240890953
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\anyone\applic~1\mozilla\firefox\profiles\bhe4gn2q.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\documents and settings\anyone\application data\mozilla\firefox\profiles\bhe4gn2q.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\anyone\application data\mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
.
============= SERVICES / DRIVERS ===============
.
R0 aarich;aarich;c:\windows\system32\drivers\aarich.sys [2010-5-3 223535]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-4-10 11608]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-4-10 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-4-10 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-4-10 61960]
R2 tgsrvc_telefonica;SupportSoft Repair Service (telefonica);c:\program files\telefonica\bin\tgsrvc.exe [2010-3-29 185640]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-6-24 92008]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\documents and settings\anyone\desktop\movies temp\rosetta stone\virtual cd rom\vcdrom.sys --> c:\documents and settings\anyone\desktop\movies temp\rosetta stone\virtual cd rom\VCdRom.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-11 135664]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2011-2-28 30576]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-04-10 08:05:51 -------- d-----w- c:\docume~1\anyone\applic~1\Avira
2011-04-10 08:03:14 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-04-10 08:03:13 -------- d-----w- c:\program files\Avira
2011-04-10 08:03:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
2011-04-09 21:41:01 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-04-09 21:41:01 -------- d-----w- c:\windows\system32\wbem\Repository
2011-04-09 08:11:49 -------- d-----w- c:\docume~1\anyone\applic~1\ParetoLogic
2011-04-09 08:11:49 -------- d-----w- c:\docume~1\anyone\applic~1\DriverCure
2011-04-09 08:11:40 -------- d-----w- c:\program files\common files\ParetoLogic
2011-04-09 08:11:38 -------- d-----w- c:\program files\ParetoLogic
2011-04-09 08:11:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2011-03-23 16:11:46 -------- d-----w- c:\program files\PhotomatixPro4
2011-03-23 16:11:46 -------- d-----w- c:\docume~1\anyone\applic~1\HDRsoft
2011-03-17 16:13:22 -------- d-----w- C:\DOWNLOADS_COMPLETE
2011-03-14 21:15:31 719872 ----a-w- c:\windows\system32\devil.dll
2011-03-14 21:15:31 -------- d-----w- c:\program files\common files\Common Share
2011-03-14 21:15:30 351744 ----a-w- c:\windows\system32\avisynth.dll
2011-03-14 21:15:28 1060864 ----a-w- c:\windows\system32\mfc71.dll
2011-03-14 21:15:28 -------- d-----w- c:\program files\RER
.
==================== Find3M ====================
.
2011-04-01 10:19:27 1246752 ----a-w- c:\windows\system32\AutoPartNt.exe
2011-03-02 13:45:56 154624 ----a-w- c:\windows\system32\RemoteControl.dll
2011-02-09 13:53:52 270848 ------w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ------w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-16 16:17:06 709456 ----a-w- c:\windows\is-91RPS.exe
2011-01-15 11:33:46 78 ----a-w- c:\program files\erunt.bat
.
============= FINISH: 10:10:09.37 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,682 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:31 PM

Posted 16 April 2011 - 07:14 AM

hi Dave Clark,

Based on what you posted you really shouldnt be using the computer until its clean. At the least it should have no connectivity, if your not sure how to do this then just power it off. Your post is a few days old, if you still need help simply reply back.

How Can I Reduce My Risk to Malware?


#3 Dave Clark

Dave Clark
  • Topic Starter

  • Members
  • 215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tenerife
  • Local time:07:31 PM

Posted 16 April 2011 - 07:23 AM

Yes I still need help, how badly is it infected

Dave

#4 shelf life

shelf life

  • Malware Response Team
  • 2,682 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:31 PM

Posted 16 April 2011 - 07:42 AM

how badly is it infected

Lets see.

We will get two downloads to use: the first is tdsskiller, the next is Combofix. Use tdsskiller first. Combofix requires that you read a guide first. Read through the guide then apply the directions on your own machine. Post the tdsskiller log and the combofix log.

1)Please download TDSS Killer.exe and save it to your desktop
Double click to launch the utility. After it initializes click the start scan button.

Once the scan completes you can click the continue button.

"The utility will automatically select an action (Cure or Delete) for known malcious objects. A suspicious object will be skipped by default."

"After clicking Next, the utility applies selected actions and outputs the result."

"A reboot might require after disinfection."

A report will be found in your Root drive Local Disk (C:) as TDSSKiller.2.4.2.1_09.08.2010_17.32.21_log.txt (name, version, date, time)
Please post the log report

2) Guide to using Combofix

How Can I Reduce My Risk to Malware?


#5 Dave Clark

Dave Clark
  • Topic Starter

  • Members
  • 215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tenerife
  • Local time:07:31 PM

Posted 16 April 2011 - 12:31 PM

Hi,

I've done as requested and enclose the logs. I see that Combofix removed my Photoshop registration for some reason so I will have to contact Adobe again to re enable.
The computer seems to be running a bit better since I switched it back on to reply to your instructions, I had restored my computer using system restore a few days ago before closing it down.

Dave

Attached Files



#6 shelf life

shelf life

  • Malware Response Team
  • 2,682 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:31 PM

Posted 16 April 2011 - 04:27 PM

We will get another download that you can keep and use:

Please download the free version of Malwarebytes to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*


When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

Post the log in your reply.

How Can I Reduce My Risk to Malware?


#7 Dave Clark

Dave Clark
  • Topic Starter

  • Members
  • 215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tenerife
  • Local time:07:31 PM

Posted 16 April 2011 - 05:39 PM

Hi ShelfLife,

Started MBAM Scan and shortly after my Avira A/V popped up and said Virus/unwanted program found :- Java/Decouvert.as which was removed.
I looked in the Avira program and the location was :- C\Documents and settings\Anyone\application Data\Sun\\Java\Deployment\Cache\6.0\14\2833c24e-432c142b

Mbam still running, will reply again in the morning with the log as it's 11.45pm here in Tenerife

regards,

Dave

#8 Dave Clark

Dave Clark
  • Topic Starter

  • Members
  • 215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tenerife
  • Local time:07:31 PM

Posted 16 April 2011 - 06:16 PM

Hi Back again,
Waited until Mbam finished, log attached. I have also attached a log from Avira re virus it found, I noted that at the bottom of the report it says "Description inserted by Chiaho Heng on Wednesday, April 13th,2011".
In my first post the Spybot report said the Access violation was in module Chai.dll, is this a coincidence or not!!

Dave

Attached Files



#9 shelf life

shelf life

  • Malware Response Team
  • 2,682 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:31 PM

Posted 16 April 2011 - 08:19 PM

how badly is it infected

Dosn't appear bad at all after the logs.

it says "Description inserted by Chiaho Heng on Wednesday, April 13th,2011".
In my first post the Spybot report said the Access violation was in module Chai.dll, is this a coincidence or not!!

Its a coincidence

Chai.dll is a plugin used by Spybot Search and Destroy which you have installed.

Description inserted by Chiaho Heng on Wednesday, April 13th,2011


It appears here also on the Avira website.

Avira removed the problem (JAVA/Decouvert.AS)

How Can I Reduce My Risk to Malware?


#10 Dave Clark

Dave Clark
  • Topic Starter

  • Members
  • 215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tenerife
  • Local time:07:31 PM

Posted 17 April 2011 - 02:29 AM

Hi Shelf Life,

So do you think I'm now clean or could there still be something else?

Could all the problems I had be caused by that Java Decouvert virus?

A few things I don't understand:-

Why didn't my A/V program pick up the virus sooner.

Do you know why the A/V program threw up all of those Violation warnings?

Is it possible for the virus to be in the update for Java from Sun? If so how can I guard against it in the future as you only have the option to install the update or not, as far as I'm aware there is no option to save the update to enable a scan of the file before installation.

Why did ComboFix remove the registration for my PS CS2 as it's a pain to re register with Adobe?

It also removed other folders as "Other Deletions" in the Combo Log. Were they important, ie the windows folder?

Is it possible for That Virus to "attack" my A/V progs as in my origional post?

What do I do next?


Many Thanks for your help, Much Appreciated.

Kind Regards,

Dave

Edited by Dave Clark, 17 April 2011 - 04:49 AM.


#11 shelf life

shelf life

  • Malware Response Team
  • 2,682 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:31 PM

Posted 17 April 2011 - 10:11 AM

In answer to your questions:
Based on the logs your computer is clean. I dont think Java Decouvert caused all your problems. Looks to me like all those "Access violation at address.." were caused by the software itself. A reboot alway manages to sort things out. I dont know why it didnt detect it sooner. Maybe its a false positive. I doubt it installed with a java update. No i dont think the virus attacked your AV software. You are sure thats your adobe registration that combofix removed? If so We can move it back to its original location.

How Can I Reduce My Risk to Malware?


#12 Dave Clark

Dave Clark
  • Topic Starter

  • Members
  • 215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tenerife
  • Local time:07:31 PM

Posted 17 April 2011 - 10:39 AM

Hi,

Yes it was the registration that Combofix removed also what about the Windows folder in My documents is that of any importance

regards,

Dave

#13 shelf life

shelf life

  • Malware Response Team
  • 2,682 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:31 PM

Posted 17 April 2011 - 03:36 PM

By default there shouldnt be a Windows folder in "My documents" unless you created it yourself. But we can move that back also to its original location then check to see if anything is actually in the folder or if its empty. I will post back when I get the correct syntex to use with combofix.

How Can I Reduce My Risk to Malware?


#14 shelf life

shelf life

  • Malware Response Team
  • 2,682 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:01:31 PM

Posted 17 April 2011 - 03:52 PM

ok try this:

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:

DEQUARANTINE::
C:\Qoobox\Quarantine\c:\documents and settings\All Users\Application Data\Adobe Systems
C:\Qoobox\Quarantine\c:\documents and settings\All Users\Application Data\Adobe Systems\Product licenses\B2B86000.dat
C:\Qoobox\Quarantine\c:\documents and settings\Anyone\WINDOWS
QUIT::
Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved (CFScript.txt) and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log

It should generate a txt file, please copy/paste it in your reply(DeQuarantine_log.txt)

How Can I Reduce My Risk to Malware?


#15 Dave Clark

Dave Clark
  • Topic Starter

  • Members
  • 215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tenerife
  • Local time:07:31 PM

Posted 18 April 2011 - 03:23 AM

Hi,

Rather than use your CFScript I just went into QBox and replaced the quaratined item back into the Adobe folder and all is well. Also the Windows folder was empty.

Many thanks for your help,

Kind Regards,

Dave




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users