Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirects. suspicious rundll32 activity


  • This topic is locked This topic is locked
4 replies to this topic

#1 Xqwzt

Xqwzt

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 07 August 2011 - 04:38 PM

Hi there

I recently dowloaded a .exe file, but nothing happened when I ran it, so I suspected it was malware of some sort. Opened task manager and found 3 processes running with which I was not familiar: agz.exe; ag2.exe; and ahusaa.exe.

Attempted to remove these with antivirus (Microsoft security essentials) but found that it had been turned off and that I could not turn it on again. I cannot see what the error message is because the window opens and closes too quickly. The same goes for windows defender. Tried reinstalling, but same problem.

I did a bit of searching, and found a site that recommended I install malwarebytes and superantispyware and scan with these programs. I did so, and both found infections which they cleaned up.

Still unable to turn on antivirus and getting constantly redirected through goingonearth.com to a site which offers registry boosters (don't know if they're genuine, but I assume not) when trying to download another antivirus, I searched some more and found advice to run disk cleanup to fix the redirect problem. This works, but only temporarily: the redirects come back after a short period of time. I managed to download AVG free, but it found no problems. This is the most recent site I have been redirected to: hxxp://www.liutilities.com/products/campaigns/affiliate/cb/offer/myadwise/rb/B3/ All redirects seem to go to some page/product linked with liutilities.com but only seem to happen on sites i don't often use. The regularly used ones (facebook, stumbleupon etc.) are fine.

The other problem is that malwarebytes keeps popping up with "rundll32.exe attempted to access a potentially malicious website." I made a note of the IP addresses, which are always the same: 95.168.173.224/225 belonging to inferno.name in Germany (don't know if that's helpful) through various ports, last one was 50223.

Searched for a way to solve the problem, and found this: http://windowsxp.mvps.org/rundll32.htm
Entered the command on that page in cmd, but instead of getting a .txt file, I get a message in cmd saying that access is denied.

AVG, malwarebytes and superantispyware all currently find no infection on my pc, but the behaviours above suggest that there is one. Still cannot turn on microsoft security essentals or windows defender, and redirects are a recurring problem.

Any help you can give would be greatly appreciated :D




DDS.txt:


.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_26
Run by User 1 at 22:58:58 on 2011-08-07
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4095.2264 [GMT 2:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG10\avgchsva.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Nero\Nero BackItUp & Burn\Nero BackItUp\NBAgent.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\AVG\AVG10\avgtray.exe
C:\Program Files (x86)\AVG\AVG10\avgnsa.exe
C:\Program Files (x86)\AVG\AVG10\avgemca.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\MediaMonkey\MediaMonkey.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\wuauclt.exe
C:\PROGRA~2\AVG\AVG10\avgrsa.exe
C:\Program Files (x86)\AVG\AVG10\avgcsrva.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uWindow Title =
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - C:\Program Files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - C:\Program Files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - C:\Program Files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll
uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [NBAgent] "C:\Program Files (x86)\Nero\Nero BackItUp & Burn\Nero BackItUp\NBAgent.exe" /WinStart
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe
StartupFolder: C:\Users\USER1~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{265860E0-7DB1-4C2B-B189-A701FE631BE5} : NameServer = 196.201.1.6 196.201.1.7
TCP: Interfaces\{29B8A105-0A3B-4038-8505-79ACF88208AA} : DhcpNameServer = 192.168.1.254
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgpp.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: AVG Security Toolbar BHO: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: AVG Security Toolbar: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files (x86)\AVG\AVG10\Toolbar\IEToolbar.dll
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [NBAgent] "C:\Program Files (x86)\Nero\Nero BackItUp & Burn\Nero BackItUp\NBAgent.exe" /WinStart
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\User 1\AppData\Roaming\Mozilla\Firefox\Profiles\tfumcqyt.default\
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 amdide64;amdide64;C:\Windows\system32\DRIVERS\amdide64.sys --> C:\Windows\system32\DRIVERS\amdide64.sys [?]
R0 AVGIDSEH;AVGIDSEH;C:\Windows\system32\DRIVERS\AVGIDSEH.Sys --> C:\Windows\system32\DRIVERS\AVGIDSEH.Sys [?]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS\avgmfx64.sys [?]
R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys --> C:\Windows\system32\DRIVERS\avgtdia.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-7-19 146816]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2011-4-18 7398752]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe [2011-2-8 269520]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-8-5 366640]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys --> C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys [?]
R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys --> C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]
S2 CardManagerInstall;CardManagerInstall;C:\Program Files\EVDO Card CDMA1X Manager\ServiceStartInstall.exe [2010-12-17 225280]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;C:\Program Files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe [2011-8-6 1025352]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\system32\DRIVERS\netr28x.sys --> C:\Windows\system32\DRIVERS\netr28x.sys [?]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
S3 SPACE_E800_USB;Space E800 Serial Communication;C:\Windows\system32\DRIVERS\SPACE_E800_USB.sys --> C:\Windows\system32\DRIVERS\SPACE_E800_USB.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-08-07 14:01:49 967 ----a-w- C:\Windows\ScUnin.pif
2011-08-07 14:01:49 94208 ----a-w- C:\Windows\ScUnin.exe
2011-08-07 13:56:18 -------- d-----w- C:\Program Files (x86)\DAEMON Tools Lite
2011-08-07 13:55:39 -------- d-----w- C:\Users\User 1\AppData\Roaming\DAEMON Tools Lite
2011-08-07 13:55:36 -------- d-----w- C:\ProgramData\DAEMON Tools Lite
2011-08-06 13:38:47 -------- d-----w- C:\Users\User 1\AppData\Roaming\AVG
2011-08-06 13:30:41 -------- d-----w- C:\Users\User 1\AppData\Local\AVG Security Toolbar
2011-08-06 12:48:20 -------- d-----w- C:\Users\User 1\AppData\Roaming\AVG10
2011-08-06 12:47:34 -------- d-----w- C:\ProgramData\AVG Security Toolbar
2011-08-06 12:47:25 -------- d-----w- C:\Windows\SysWow64\drivers\AVG
2011-08-06 12:46:32 -------- d-----w- C:\Windows\System32\drivers\AVG
2011-08-06 12:46:32 -------- d-----w- C:\ProgramData\AVG10
2011-08-06 12:46:07 -------- d-----w- C:\Program Files (x86)\AVG
2011-08-06 11:44:37 -------- d--h--w- C:\ProgramData\Common Files
2011-08-06 11:44:13 -------- d-----w- C:\ProgramData\MFAData
2011-08-06 11:19:22 -------- d-----w- C:\ZHP
2011-08-06 11:19:07 -------- d-----w- C:\Program Files (x86)\ZHPDiag
2011-08-06 11:12:29 -------- d-----w- C:\Program Files (x86)\Ad-Remover
2011-08-05 16:07:19 -------- d-----w- C:\Program Files (x86)\VideoLAN
2011-08-05 14:27:11 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2011-08-05 14:27:04 -------- d-----w- C:\Program Files\Microsoft Security Client
2011-08-05 13:17:05 -------- d-----w- C:\Program Files\Microsoft IntelliPoint
2011-08-05 13:09:30 -------- d-----w- C:\Windows\PCHEALTH
2011-08-05 12:30:13 -------- d-----w- C:\Users\User 1\AppData\Roaming\SUPERAntiSpyware.com
2011-08-05 12:29:54 -------- d-----w- C:\ProgramData\!SASCORE
2011-08-05 12:29:53 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2011-08-05 12:29:53 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2011-08-05 11:21:45 -------- d-----w- C:\Users\User 1\AppData\Roaming\Malwarebytes
2011-08-05 11:21:26 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-08-05 11:21:25 -------- d-----w- C:\ProgramData\Malwarebytes
2011-08-05 11:21:23 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-08-05 11:21:23 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-08-05 10:51:37 -------- d-----w- C:\Users\User 1\AppData\Local\MediaMonkey
2011-08-05 10:51:35 -------- d-----w- C:\Program Files (x86)\MediaMonkey
2011-08-05 10:44:25 64512 --sha-r- C:\Windows\SysWow64\KBDINASAV.dll
2011-08-05 10:44:25 64512 --sha-r- C:\Windows\SysWow64\INETRESH.dll
2011-07-30 17:24:42 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-07-30 12:39:46 142296 ----a-w- C:\Program Files (x86)\Mozilla Firefox\components\browsercomps.dll
2011-07-30 12:39:45 89048 ----a-w- C:\Program Files (x86)\Mozilla Firefox\libEGL.dll
2011-07-30 12:39:45 781272 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozsqlite3.dll
2011-07-30 12:39:45 465880 ----a-w- C:\Program Files (x86)\Mozilla Firefox\libGLESv2.dll
2011-07-30 12:39:45 2106216 ----a-w- C:\Program Files (x86)\Mozilla Firefox\D3DCompiler_43.dll
2011-07-30 12:39:45 1998168 ----a-w- C:\Program Files (x86)\Mozilla Firefox\d3dx9_43.dll
2011-07-30 12:39:45 1850328 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
2011-07-30 12:39:45 15832 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozalloc.dll
2011-07-27 02:05:29 -------- d-----w- C:\Users\User 1\.iGridd
2011-07-12 15:44:00 -------- d-----w- C:\Users\User 1\AppData\Roaming\Moyea
2011-07-12 15:44:00 -------- d-----w- C:\Users\User 1\AppData\Roaming\Leawo Video2AVI v2
2011-07-12 15:44:00 -------- d-----w- C:\Users\User 1\AppData\Roaming\Leawo
2011-07-12 15:43:26 -------- d-----w- C:\ProgramData\Leawo
2011-07-12 15:42:55 499712 ----a-w- C:\Windows\SysWow64\msvcp71.dll
2011-07-12 15:42:55 139264 ----a-w- C:\Windows\SysWow64\xvid.ax
2011-07-12 15:42:47 64512 ----a-w- C:\Windows\SysWow64\devobj.dll
2011-07-12 15:42:47 44544 ----a-w- C:\Windows\SysWow64\devrtl.dll
2011-07-12 15:42:47 404480 ----a-w- C:\Windows\System32\umpnpmgr.dll
2011-07-12 15:42:47 252928 ----a-w- C:\Windows\SysWow64\drvinst.exe
2011-07-12 15:42:47 145920 ----a-w- C:\Windows\SysWow64\cfgmgr32.dll
2011-07-12 15:42:43 -------- d-----w- C:\Program Files (x86)\Leawo
.
==================== Find3M ====================
.
2011-06-19 22:27:09 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-06-19 01:34:28 175616 ----a-w- C:\Windows\System32\msclmd.dll
2011-06-19 01:34:28 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2011-06-11 03:07:25 3137536 ----a-w- C:\Windows\System32\win32k.sys
2011-06-03 06:56:38 421888 ----a-w- C:\Windows\System32\KernelBase.dll
2011-06-03 05:56:11 272384 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2011-06-03 03:48:32 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2011-06-03 03:48:31 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2011-06-03 03:48:31 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2011-06-03 03:48:31 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2011-05-28 03:30:09 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-05-28 02:53:58 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-05-14 07:25:06 362496 ----a-w- C:\Windows\System32\wow64win.dll
2011-05-14 07:25:06 243200 ----a-w- C:\Windows\System32\wow64.dll
2011-05-14 07:25:06 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2011-05-14 07:24:33 214528 ----a-w- C:\Windows\System32\winsrv.dll
2011-05-14 07:22:25 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2011-05-14 07:16:48 338432 ----a-w- C:\Windows\System32\conhost.exe
2011-05-14 06:28:33 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2011-05-14 06:24:36 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2011-05-14 06:24:08 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2011-05-14 06:22:24 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2011-05-14 04:20:05 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2011-05-14 04:20:03 2048 ----a-w- C:\Windows\SysWow64\user.exe
.
============= FINISH: 22:59:26.94 ===============

Attached Files


Edited by Orange Blossom, 07 August 2011 - 09:42 PM.
Deactivated link. ~ OB


BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:34 AM

Posted 13 August 2011 - 10:16 AM

Hi


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Xqwzt

Xqwzt
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 22 August 2011 - 06:29 PM

Hi

My apologies for not posting this sooner; I have been away from home the last 10 days.
Attached are the DDS and Combofix logs as requested.

Also, I may have stopped the rundll32 nonsense. Caught the program in the act as it were: using taskmanager there were 2 rundll32.exe processes; one of these was was using processing power when I opened firefox. I ended the process, and on it's attempt to restart AVG prevented it. I did this twice and 2 other dlls (which appear to be randomly named) were deleted: ATDINASAV.dll (not sure about the first "A" but the rest is correct) and INETRESH.dll (I am sure about this name :wink: )
Both were in caps and yielded no results in google.

The other strange thing was that after running Combofix, I could not run any applications. Kept getting the error message "Illegal operation on a registry entry that has been marked for deletion". Everything seemed fine after I restarted though, but was just wondering if this is normal behaviour.

Anyway, thank you for helping :thumbup2:

Attached Files



#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:34 AM

Posted 23 August 2011 - 04:05 AM

Hi again,

Please upload the following file to http://www.virustotal.com (select reanalyse if prompted) and post back a link to results:
c:\qoobox\quarantine\c\program files (x86)\Steam\Steam.exe.vir


Uninstall old Adobe Reader versions and get the latest one (Adobe Reader 10.1) here or get Foxit Reader here. Make sure you don't (unless you want to) install toolbar if choose Foxit Reader! You may also check free readers introduced here.


* Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
  • Click Scan
  • Wait for the scan to finish. Post back its findings.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:34 AM

Posted 31 August 2011 - 05:29 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users