Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Started with Vista Security 2012 Popup, Now Firefox Redirect and svchost


  • This topic is locked This topic is locked
3 replies to this topic

#1 follow1234

follow1234

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 14 August 2011 - 07:29 PM

My issue started this morning when I found that Vista Security 2012 was popping up. I knew this was malware. I determined that it was using the process pma.exe. Whenever I would endtask, it would restart about 10 seconds later. At this time, when I tried to go to anti-virus or process definition websites, it would redirect me to a false error screen saying the page was dangerous. I used msconfig to have windows boot to safemode on next startup. I was able to download malwarebytes onto my cellphone and then USB it over while in safe mode, but it would not run. I chose to endtask on pma.exe and then quickly delete the file. At this time, I tried to load msconfig again, but it could not be found. I then ran malwarebytes. It found 6 issues and deleted them all. When I restarted msconfig worked again, and I thought I was done.

Now, firefox still redirects me whenever I try to go to an antivirus site or a process definition site. My computer is also randomly restarting when I try to visit those sites. I am currently running Avast free version and have been for years. I keep the virus definitions updated, but I think I'm a version behind on the program itself. As of right now, Avast and Malwarebytes both find nothing on full scans. Avast does keep popping up saying it is blocking malicious sites trying to be accessed by svchost.exe. It usually happens quite a few times in a row. When this happens, in task manager, one of the svchost.exe's spikes up to 20% cpu usage. If I endtask on that particular one, it goes away for about a minute, then starts up again with cpu usage and more Avast popups. Also, for some reason, my display keeps doing something weird. The menu bars every so often flash back to classic styling (Win 95ish) for a second and then go back to the Vista styling. This never happened before.

Here are the logs from gmer and dds as requested in the Preparation guide. I also included a screenshot of what Avast keeps popping up with. I probably got a bit ahead of myself by running Combofix, but it seemed to work well for others. It found and deleted 4 files. I'm posting that log too. Thanks in advance.
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 7.0.6001.18000
Run by John at 16:55:48 on 2011-08-14
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.3326.2094 [GMT -7:00]
.
AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
D:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
D:\Program Files\Alwil Software\Avast5\AvastUI.exe
D:\Program Files\Razer\Tarantula\razerhid.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Razer\Lycosa\razerhid.exe
C:\Program Files\Microsoft LifeChat\LifeChat.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Canon\BJCard\BJLaunch.exe
C:\Program Files\NETGEAR\WN311B\Utility\WN311B.exe
C:\Program Files\Windows Sidebar\sidebar.exe
D:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\PdaNet for Android\PdaNetPC.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\WN311BFCS.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
D:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [DAEMON Tools Lite] "d:\program files\daemon tools lite\DTLite.exe" -autorun
mRun: [avast5] d:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [Tarantula] d:\program files\razer\tarantula\razerhid.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Lycosa] "c:\program files\razer\lycosa\razerhid.exe"
mRun: [LifeChat] "c:\program files\microsoft lifechat\LifeChat.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [BJLaunchEXE] c:\program files\canon\bjcard\BJLaunch.exe
mRun: [AS00_WN311B] c:\program files\netgear\wn311b\utility\WN311B.exe /hide
StartupFolder: c:\users\john\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\users\john\appdata\roaming\micros~1\windows\startm~1\programs\startup\pdanet~1.lnk - c:\program files\pdanet for android\PdaNetPC.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
TCP: DhcpNameServer = 8.8.8.8
TCP: Interfaces\{40911C2A-6925-4045-819B-04115DA35C83} : DhcpNameServer = 192.168.42.129
TCP: Interfaces\{B8D85135-8C5D-4AD3-A820-279ACCB13CA4} : DhcpNameServer = 10.0.0.1
TCP: Interfaces\{C649A6CB-2AC6-41BC-817F-8D6D5D87A8F3} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{DD5EBD77-A65E-4801-BE91-0978FB216792} : DhcpNameServer = 8.8.8.8
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\john\appdata\roaming\mozilla\firefox\profiles\am0y14na.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: d:\program files\adobe\reader 9.0\reader\browser\nppdf32.dll
FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
FF - plugin: d:\program files\veetle\player\npvlc.dll
FF - plugin: d:\program files\veetle\plugins\npVeetle.dll
FF - plugin: d:\program files\veetle\vlcbroadcast\npvbp.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: vShare: vshareus@toolbar - %profile%\extensions\vshareus@toolbar
.
============= SERVICES / DRIVERS ===============
.
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-9 165456]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-5-4 172032]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-9 17744]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-7-9 50256]
R2 avast! Antivirus;avast! Antivirus;d:\program files\alwil software\avast5\AvastSvc.exe [2010-7-9 40384]
R2 MBAMService;MBAMService;d:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-14 366640]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-8-17 239648]
R2 Viewpoint Service;Viewpoint Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-10-7 30152]
R2 WN311BFCS;Netgear WN311B Wireless Control Service;c:\windows\system32\WN311BFCS.exe [2011-5-27 393216]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2010-5-4 5550592]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-5-4 176128]
R3 avast! Mail Scanner;avast! Mail Scanner;d:\program files\alwil software\avast5\AvastSvc.exe [2010-7-9 40384]
R3 avast! Web Scanner;avast! Web Scanner;d:\program files\alwil software\avast5\AvastSvc.exe [2010-7-9 40384]
R3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-6-10 24576]
R3 LycoFltr;Lycosa Keyboard;c:\windows\system32\drivers\Lycosa.sys [2011-4-4 16128]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-14 22712]
R3 NETGEAR;Netgear 802.11 Network Adapter Driver;c:\windows\system32\drivers\WN311B.SYS [2011-4-4 1187320]
R3 pneteth;PdaNet Broadband;c:\windows\system32\drivers\pneteth.sys [2010-8-30 13184]
S3 TarFltr;Razer Tarantula USB Keyboard;c:\windows\system32\drivers\UsbFltr.sys [2010-1-21 45440]
S3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-6-28 1310720]
.
=============== Created Last 30 ================
.
2011-08-14 23:24:27 -------- d--h--w- c:\windows\PIF
2011-08-14 23:22:49 -------- d-sh--w- C:\$RECYCLE.BIN
2011-08-14 23:22:47 -------- d-----w- c:\users\john\appdata\local\temp
2011-08-14 23:06:35 98816 ----a-w- c:\windows\sed.exe
2011-08-14 23:06:35 518144 ----a-w- c:\windows\SWREG.exe
2011-08-14 23:06:35 256000 ----a-w- c:\windows\PEV.exe
2011-08-14 23:06:35 208896 ----a-w- c:\windows\MBR.exe
2011-08-14 19:56:58 -------- d-----w- c:\users\john\appdata\roaming\Malwarebytes
2011-08-14 19:56:55 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-14 19:56:54 -------- d-----w- c:\programdata\Malwarebytes
2011-08-14 19:56:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-14 19:36:15 -------- d-----w- c:\windows\pss
2011-08-14 19:01:08 0 ----a-w- c:\programdata\qoll.exe
2011-08-14 19:01:08 0 ----a-w- c:\programdata\ojuv.exe
2011-08-14 19:01:08 0 ----a-w- c:\programdata\jknw.exe
2011-08-14 19:01:08 0 ----a-w- c:\programdata\cphb.exe
2011-08-14 03:20:11 6881616 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{925ca9cf-4676-4fce-9ed8-6f631fde2ef0}\mpengine.dll
2011-07-30 03:26:43 -------- d-----w- c:\users\john\riotsGamesLogs
2011-07-17 17:54:14 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-07-17 17:54:14 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
==================== Find3M ====================
.
2011-06-18 15:16:50 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-25 02:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 16:56:06.39 ===============



GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-14 17:10:03
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdePort0 FTM64GL25H rev.081210
Running: gmer.exe; Driver: C:\Users\John\AppData\Local\Temp\kxldypog.sys


---- System - GMER 1.0.15 ----

INT 0x52 ? 8686ABF8
INT 0x61 ? 84D43BF8
INT 0x62 ? 8686ABF8
INT 0x62 ? 8686ABF8
INT 0x71 ? 84D43BF8
INT 0x81 ? 84D43BF8
INT 0x91 ? 8686ABF8
INT 0x91 ? 8686ABF8
INT 0x91 ? 8686ABF8

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x941BDB9C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0x941BD9C0]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0x941BDAFA]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwLoadDriver 81F7DAD2 7 Bytes JMP 941BDAFE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 81FED9F8 5 Bytes JMP 941B95B4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject 82056357 5 Bytes JMP 941BAF6C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!NtCreateSection 82057157 2 Bytes JMP 941BD9C4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!NtCreateSection + 3 8205715A 4 Bytes [16, 12, CC, CC] {PUSH SS; ADC CL, AH; INT 3 }
PAGE ntkrnlpa.exe!ZwCreateProcessEx 820A21FA 7 Bytes JMP 941BDBA0 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
? System32\Drivers\spsv.sys The system cannot find the path specified. !
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9340B000, 0x2FBFB8, 0xE8000020]
.text USBPORT.SYS!DllUnload 8ADA446F 5 Bytes JMP 8686A1D8
.text aap1jf8l.SYS 93D2A000 22 Bytes [26, E2, 1C, 82, 10, E1, 1C, ...]
.text aap1jf8l.SYS 93D2A017 78 Bytes [00, 32, 17, 50, 82, 3D, 15, ...]
.text aap1jf8l.SYS 93D2A066 66 Bytes [E1, 81, C8, 4B, E6, 81, 30, ...]
.text aap1jf8l.SYS 93D2A0A9 35 Bytes [10, E6, 81, A0, 07, E6, 81, ...]
.text aap1jf8l.SYS 93D2A0CE 10 Bytes [00, 00, 00, 00, 00, 00, C9, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; LEAVE ; HLT ; POP ESP; DEC EDX}
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1036] ntdll.dll!NtProtectVirtualMemory 77B48968 5 Bytes JMP 0083000A
.text C:\Windows\system32\svchost.exe[1036] ntdll.dll!NtWriteVirtualMemory 77B492A8 5 Bytes JMP 0084000A
.text C:\Windows\system32\svchost.exe[1036] ntdll.dll!KiUserExceptionDispatcher 77B499E8 5 Bytes JMP 0082000A
.text C:\Windows\Explorer.EXE[3220] ntdll.dll!NtProtectVirtualMemory 77B48968 5 Bytes JMP 0094000A
.text C:\Windows\Explorer.EXE[3220] ntdll.dll!NtWriteVirtualMemory 77B492A8 5 Bytes JMP 0095000A
.text C:\Windows\Explorer.EXE[3220] ntdll.dll!KiUserExceptionDispatcher 77B499E8 5 Bytes JMP 008C000A

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)
Device \FileSystem\Ntfs \Ntfs 84D481F8
Device \Driver\netbt \Device\NetBT_Tcpip_{C649A6CB-2AC6-41BC-817F-8D6D5D87A8F3} 86E7E500
Device \Driver\volmgr \Device\VolMgrControl 84D451F8
Device \Driver\usbohci \Device\USBPDO-0 868871F8
Device \Driver\usbohci \Device\USBPDO-1 868871F8
Device \Driver\usbehci \Device\USBPDO-2 8697E1F8
Device \Driver\usbohci \Device\USBPDO-3 868871F8
Device \Driver\usbohci \Device\USBPDO-4 868871F8

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbehci \Device\USBPDO-5 8697E1F8
Device \Driver\usbohci \Device\USBPDO-6 868871F8
Device \Driver\volmgr \Device\HarddiskVolume1 84D451F8
Device \Driver\volmgr \Device\HarddiskVolume2 84D451F8
Device \Driver\cdrom \Device\CdRom0 86F9D1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84D471F8
Device \Driver\atapi \Device\Ide\IdePort0 84D471F8
Device \Driver\atapi \Device\Ide\IdePort1 84D471F8
Device \Driver\atapi \Device\Ide\IdePort2 84D471F8
Device \Driver\atapi \Device\Ide\IdePort3 84D471F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-2 84D471F8
Device \Driver\volmgr \Device\HarddiskVolume3 84D451F8
Device \Driver\USBSTOR \Device\00000080 86D85500
Device \Driver\netbt \Device\NetBT_Tcpip_{DD5EBD77-A65E-4801-BE91-0978FB216792} 86E7E500
Device \Driver\netbt \Device\NetBt_Wins_Export 86E7E500
Device \Driver\sptd \Device\2307110805 spsv.sys
Device \Driver\Smb \Device\NetbiosSmb 86F90500
Device \Driver\PCI_PNP2772 \Device\0000004f spsv.sys
Device \Driver\iScsiPrt \Device\RaidPort0 8686F1F8
Device \Driver\netbt \Device\NetBT_Tcpip_{B8D85135-8C5D-4AD3-A820-279ACCB13CA4} 86E7E500

AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbohci \Device\USBFDO-0 868871F8
Device \Driver\usbohci \Device\USBFDO-1 868871F8
Device \Driver\usbehci \Device\USBFDO-2 8697E1F8
Device \Driver\usbohci \Device\USBFDO-3 868871F8
Device \Driver\usbohci \Device\USBFDO-4 868871F8
Device \Driver\usbehci \Device\USBFDO-5 8697E1F8
Device \Driver\USBSTOR \Device\0000007f 86D85500
Device \Driver\usbohci \Device\USBFDO-6 868871F8
Device \Driver\aap1jf8l \Device\Scsi\aap1jf8l1Port5Path0Target0Lun0 868941F8
Device \Driver\aap1jf8l \Device\Scsi\aap1jf8l1 868941F8
Device \FileSystem\cdfs \Cdfs 8852D1F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 7902
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x7E 0x7D 0x75 0x8D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x5C 0xA2 0x76 0x2F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x53 0x19 0x9E 0xD9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2E 0xCC 0x09 0xF0 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x7E 0x7D 0x75 0x8D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x5C 0xA2 0x76 0x2F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x53 0x19 0x9E 0xD9 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2E 0xCC 0x09 0xF0 ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Files - GMER 1.0.15 ----

File C:\Users\John\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\VTKEJFNF\www.hulu.com.\BeaconService.sol 85 bytes
File C:\Users\John\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.hulu.com.\settings.sol 83 bytes

---- EOF - GMER 1.0.15 ----


ComboFix 11-08-15.06 - John 08/14/2011 16:09:49.1.4 - x86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.3326.2283 [GMT -7:00]
Running from: c:\users\John\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\John\AppData\Local\ajlo.exe
c:\users\John\AppData\Local\ataa.exe
c:\users\John\AppData\Local\mhch.exe
c:\users\John\AppData\Local\ovan.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-07-14 to 2011-08-14 )))))))))))))))))))))))))))))))
.
.
2011-08-14 19:56 . 2011-08-14 19:56 -------- d-----w- c:\users\John\AppData\Roaming\Malwarebytes
2011-08-14 19:56 . 2011-07-08 14:55 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-14 19:56 . 2011-08-14 19:56 -------- d-----w- c:\programdata\Malwarebytes
2011-08-14 19:56 . 2011-07-08 14:55 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-14 19:01 . 2011-08-14 19:01 0 ----a-w- c:\programdata\qoll.exe
2011-08-14 19:01 . 2011-08-14 19:01 0 ----a-w- c:\programdata\ojuv.exe
2011-08-14 19:01 . 2011-08-14 19:01 0 ----a-w- c:\programdata\jknw.exe
2011-08-14 19:01 . 2011-08-14 19:01 0 ----a-w- c:\programdata\cphb.exe
2011-08-14 03:20 . 2011-07-13 03:39 6881616 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{925CA9CF-4676-4FCE-9ED8-6F631FDE2EF0}\mpengine.dll
2011-07-30 03:26 . 2011-07-30 18:50 -------- d-----w- c:\users\John\riotsGamesLogs
2011-07-17 17:54 . 2011-07-17 17:53 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-07-17 17:54 . 2011-07-17 17:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-17 17:52 . 2011-07-17 17:52 -------- d-----w- c:\program files\Java
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-18 15:16 . 2011-06-18 15:16 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-25 02:14 . 2009-10-02 23:10 222080 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"DAEMON Tools Lite"="d:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="d:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"Tarantula"="d:\program files\Razer\Tarantula\razerhid.exe" [2007-05-07 159744]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-05-05 102400]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-03 6266880]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"Lycosa"="c:\program files\Razer\Lycosa\razerhid.exe" [2007-11-20 147456]
"LifeChat"="c:\program files\Microsoft LifeChat\LifeChat.exe" [2009-09-28 264040]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-12-19 76304]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2010-12-14 421160]
"BJLaunchEXE"="c:\program files\Canon\BJCard\BJLaunch.exe" [2006-09-06 722544]
"AS00_WN311B"="c:\program files\NETGEAR\WN311B\Utility\WN311B.exe" [2007-09-21 2150400]
.
c:\users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
PdaNet Desktop.lnk - c:\program files\PdaNet for Android\PdaNetPC.exe [2010-8-30 465424]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-3-8 809488]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 00:10 35696 ----a-w- d:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2011-07-08 14:55 449584 ----a-w- d:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-02-07 01:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
R3 TarFltr;Razer Tarantula USB Keyboard;c:\windows\system32\Drivers\UsbFltr.sys [2007-04-12 45440]
R3 USBPNPA;USB PnP Sound Device Interface;c:\windows\system32\drivers\CM108.sys [2007-06-28 1310720]
R3 ZDPSp60;ZDPSp60 NDIS Protocol Driver;c:\windows\system32\Drivers\ZDPSp60.sys [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-07-11 691696]
S1 aswSP;aswSP; [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-05-05 172032]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-06-28 50256]
S2 MBAMService;MBAMService;d:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-08 366640]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2009-08-17 239648]
S2 Viewpoint Service;Viewpoint Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-04-04 30152]
S2 WN311BFCS;Netgear WN311B Wireless Control Service;c:\windows\system32\WN311BFCS.exe [2007-09-21 393216]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-05-05 5550592]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-05-05 176128]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-06-10 24576]
S3 LycoFltr;Lycosa Keyboard;c:\windows\system32\Drivers\Lycosa.sys [2008-01-18 16128]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-08 22712]
S3 NETGEAR;Netgear 802.11 Network Adapter Driver;c:\windows\system32\DRIVERS\wn311b.sys [2008-03-27 1187320]
S3 pneteth;PdaNet Broadband;c:\windows\system32\DRIVERS\pneteth.sys [2010-08-16 13184]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 8.8.8.8
FF - ProfilePath - c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\am0y14na.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: vShare: vshareus@toolbar - %profile%\extensions\vshareus@toolbar
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-InFlac - d:\program files\Winamp\InFlac-Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-14 16:16
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\users\John\AppData\Local\Temp\catchme.dll 53248 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1549005948-3458362074-2615446139-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:5d,8a,d2,62,0e,01,51,a0,fc,a6,2a,34,2d,93,27,10,5c,d9,66,2f,0b,c1,48,
bc,c2,8c,6e,83,13,0e,7f,33,26,6c,21,d2,c3,16,dc,50,12,e1,bd,49,d0,98,9b,3d,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50
.
Completion time: 2011-08-14 16:22:45
ComboFix-quarantined-files.txt 2011-08-14 23:22
.
Pre-Run: 11,080,687,616 bytes free
Post-Run: 11,038,789,632 bytes free
.
- - End Of File - - A4A1424EC2C433895CB6E65C9AEE1037


Attached File  svchost.jpg   31.04KB   1 downloads

Attached Files


Edited by follow1234, 14 August 2011 - 08:00 PM.


BC AdBot (Login to Remove)

 


#2 follow1234

follow1234
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 14 August 2011 - 08:23 PM

So, I think I fixed it by reading some other posts. I downloaded aswMBR.exe. I had to try 4 times as the download kept cancelling itself. Once I got it, it found a rootkit, as I kind of thought it would based on related postings. I chose fix, restarted, and now I no longer get redirected or have high svchost.exe cpu usage. I'm keeping this post here though to ask if there is anything else I should do or also run just to make sure I got it all. If there isn't, let me know, and I'll delete the post.

Thanks!

#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:33 AM

Posted 19 August 2011 - 07:30 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resouce! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/414433 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:33 AM

Posted 24 August 2011 - 07:35 PM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users