Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

xp Antispyware 2012 & screensaver seems to have virus


  • This topic is locked This topic is locked
29 replies to this topic

#1 always_learning

always_learning

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 28 December 2011 - 10:13 PM

On Sunday, 12/25/2011 I got the xp antispyware 2012 virus on my PC running Windows XP Prof.

I did the following things and was able to resolve some of the issues, but have a strange problem with the screensaver, which I'm sure comes from the virus:
At first, when I ran a scan, and it went to the screensaver, and I wiggled the mouse, it would then show only my original user and log into it automatically and try to open some file or execute a file and come up with the "which program do yo want to use to open this file?". I didn't check, to see, which file it tried to run. When I logged out of that user, all users were there again.
Now it is worse, when I ran GMER and the screensaver came on, then upon me wiggling the mouse, the computer rebooted and briefly showed a blue screen, then took a long time to boot up again. I started the scan over, after changing the time on the screensaver, and making sure, it won't go into screensaver again. I have not found any info anywhere on these weird things with the screensaver.

So here are the steps I took to get ridd of the virus:
I tried booting in safe mode, but couldn't.
-I was able to login to my other administrator account and did a restore to the previous day from there. Then I found your instructions and followed them:
--I ran FixNCR.reg.
--I ran rkill.
--I scanned with Malwarebytes. It found 2 trojans, one was in a system restore folder. I had it remove them.

I installed AVG and updated it, removed Avira and scanned with AVG.
I updated Ad-Aware and scanned with it.
I installed spybot and scanned with it.

Some of these scans found more files, I think Ad-Aware found more trojans, which I had it remove. I think spybot found only tracking cookies.

I did another step, to get my executables to run again under the infected user. I have tried to find these instructions again, but can't. It did work. My executables under the other users worked fine all along.

Can you tell from the logs, if I still have the virus?

Thank you so much for helping me!!!

Here is the DDS.txt:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_26
Run by SHOLA at 13:08:29 on 2011-12-28
Microsoft Windows XP Professional 5.1.2600.2.1252.49.1031.18.3071.2132 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Programme\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Programme\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\xampp\apache\bin\httpd.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Programme\AVG\AVG2012\avgwdsvc.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Java\jre6\bin\jqs.exe
c:\xampp\mysql\bin\mysqld.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\xampp\apache\bin\httpd.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Programme\AVG\AVG2012\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Programme\AVG\AVG2012\AVGIDSAgent.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Microsoft IntelliType Pro\itype.exe
C:\Programme\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Multimedia Card Reader\shwicon2k.exe
C:\PROGRA~1\ScanSoft\OMNIPA~1.0\WorkFlowTray.exe
C:\Programme\ScanSoft\OmniPagePro14.0\Opware14.exe
C:\Programme\ScanSoft\OmniPagePro14.0\OpScheduler.exe
C:\Programme\ScanSoft\OmniPagePro14.0\PdfPrn\SPrnAgent.exe
C:\Programme\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Programme\HP\HP Software Update\HPWuSchd2.exe
C:\Programme\HP\hpcoretech\hpcmpmgr.exe
C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe
C:\Programme\Vimicro Corporation\VMUVC\VMonitor.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\AVG\AVG2012\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Programme\Windows Desktop Search\WindowsSearch.exe
C:\Programme\HP\Digital Imaging\bin\hpqgalry.exe
C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar mit Pop-Up-Blocker: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\programme\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: Yahoo! Toolbar mit Pop-Up-Blocker: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\programme\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\programme\yahoo!\companion\installs\cpn\yt.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\programme\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\programme\avg\avg2012\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programme\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\programme\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Yahoo! Toolbar mit Pop-Up-Blocker: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\programme\yahoo!\companion\installs\cpn\yt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\programme\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\programme\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [QuickTime Task] "c:\programme\quicktime\QTTask.exe" -atboottime
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\programme\gemeinsame dateien\ahead\lib\NMBgMonitor.exe"
uRun: [swg] "c:\programme\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\programme\spybot - search & destroy\TeaTimer.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [itype] "c:\programme\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\programme\microsoft intellipoint\ipoint.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NWEReboot]
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [TrayServer] c:\progra~1\magix\video_~1\TrayServer.exe
mRun: [Sunkist2k] c:\programme\multimedia card reader\shwicon2k.exe
mRun: [SSBkgdUpdate] "c:\programme\gemeinsame dateien\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [WorkFlowTray] "c:\progra~1\scansoft\omnipa~1.0\WorkFlowTray.exe"
mRun: [Opware14] "c:\programme\scansoft\omnipagepro14.0\Opware14.exe"
mRun: [OpScheduler] "c:\programme\scansoft\omnipagepro14.0\OpScheduler.exe"
mRun: [PDF Converter Registry Controller] "c:\programme\scansoft\omnipagepro14.0\pdfcnv\RegistryController.exe"
mRun: [SSPrnAgent] c:\programme\scansoft\omnipagepro14.0\pdfprn\SPrnAgent.exe
mRun: [Acrobat Assistant 8.0] "c:\programme\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Adobe_ID0EYTHM] c:\progra~1\gemein~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [HP Software Update] "c:\programme\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\programme\hp\hpcoretech\hpcmpmgr.exe"
mRun: [SunJavaUpdateSched] "c:\programme\gemeinsame dateien\java\java update\jusched.exe"
mRun: [VMonitorVMUVC] "c:\programme\vimicro corporation\vmuvc\VMonitor.exe" VMUVC
mRun: [QuickTime Task] "c:\programme\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\programme\itunes\iTunesHelper.exe"
mRun: [AVG_TRAY] "c:\programme\avg\avg2012\avgtray.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\hpdigi~1.lnk - c:\programme\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\hpimag~1.lnk - c:\programme\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\window~1.lnk - c:\programme\windows desktop search\WindowsSearch.exe
IE: Append to existing PDF - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Google Sidewiki... - c:\programme\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: Nach Microsoft E&xel exportieren - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: PDF in Word öffnen - c:\programme\scansoft\omnipagepro14.0\pdfcnv\IEShellExt.dll /500
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\programme\gemeinsame dateien\sourcetec\swf catcher\InternetExplorer.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\programme\yahoo!\common\yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{09308B91-C1AA-4192-9275-B31D05187B2B} : DhcpNameServer = 192.168.1.254
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\programme\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\programme\avg\avg2012\avgpp.dll
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\programme\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\dokumente und einstellungen\shola\anwendungsdaten\mozilla\firefox\profiles\n83atzpb.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - component: c:\programme\avg\avg2012\firefox4\components\avgssff5.dll
FF - component: c:\programme\avg\avg2012\firefox4\components\avgssff6.dll
FF - component: c:\programme\avg\avg2012\firefox4\components\avgssff7.dll
FF - component: c:\programme\avg\avg2012\firefox4\components\avgssff8.dll
FF - component: c:\programme\avg\avg2012\firefox4\components\avgssff9.dll
FF - plugin: c:\programme\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\programme\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\programme\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\programme\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\programme\avg\avg2012\Firefox4
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-23 64512]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R2 ACEDRV08;ACEDRV08;c:\windows\system32\drivers\ACEDRV08.sys [2009-3-8 108768]
R2 acedrv11;acedrv11;c:\windows\system32\drivers\ACEDRV11.sys [2008-1-23 501560]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [2008-12-9 24636]
R2 AVGIDSAgent;AVGIDSAgent;c:\programme\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\programme\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\programme\lavasoft\ad-aware\AAWService.exe [2011-11-3 2152152]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
S2 gupdate1c9e44da0b6cb9e;Google Update Service (gupdate1c9e44da0b6cb9e);c:\programme\google\update\GoogleUpdate.exe [2009-6-3 133104]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\programme\magix\common\database\bin\fbserver.exe [2009-2-3 1527900]
S3 gupdatem;Google Update-Dienst (gupdatem);c:\programme\google\update\GoogleUpdate.exe [2009-6-3 133104]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\programme\lavasoft\ad-aware\kernexplorer.sys [2011-11-3 15232]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8192su.sys --> c:\windows\system32\drivers\RTL8192su.sys [?]
S3 SipIMNDI;T-Online Dialerschutz VoIP Service;c:\windows\system32\drivers\sipimndi.sys --> c:\windows\system32\drivers\SipIMNDI.sys [?]
S3 TTCinergyT2;TerraTec Cinergy T² Driver (TTCinergyT2.sys);c:\windows\system32\drivers\TTCinergyT2.sys [2009-2-22 16640]
S3 UPnPService;UPnPService;c:\programme\gemeinsame dateien\magix shared\upnpservice\UPnPService.exe [2009-2-27 647242]
S3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\drivers\VMUVC.sys [2010-7-5 250240]
S3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftUVC.sys [2010-7-5 476032]
.
=============== Created Last 30 ================
.
2011-12-28 00:21:23 -------- d-----w- c:\dokumente und einstellungen\shola\lokale einstellungen\anwendungsdaten\VueSoft
2011-12-27 02:00:15 -------- d-----w- c:\programme\Spybot - Search & Destroy
2011-12-27 02:00:15 -------- d-----w- c:\dokumente und einstellungen\all users\anwendungsdaten\Spybot - Search & Destroy
2011-12-27 00:35:23 -------- d-----w- c:\dokumente und einstellungen\shola\anwendungsdaten\AVG2012
2011-12-27 00:34:15 -------- d-----w- c:\windows\system32\drivers\AVG
2011-12-27 00:34:15 -------- d-----w- c:\dokumente und einstellungen\all users\anwendungsdaten\AVG2012
2011-12-27 00:33:43 -------- d-----w- c:\programme\AVG
2011-12-27 00:30:04 -------- d--h--w- c:\dokumente und einstellungen\all users\anwendungsdaten\Common Files
2011-12-27 00:29:54 -------- d-----w- c:\dokumente und einstellungen\all users\anwendungsdaten\MFAData
2011-12-27 00:18:56 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-12-26 20:37:25 -------- d-----w- c:\programme\Lavasoft
2011-12-25 20:00:43 -------- d-----w- c:\dokumente und einstellungen\shola\anwendungsdaten\Malwarebytes
2011-12-25 20:00:10 -------- d-----w- c:\dokumente und einstellungen\all users\anwendungsdaten\Malwarebytes
2011-12-25 20:00:07 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-25 20:00:07 -------- d-----w- c:\programme\Malwarebytes' Anti-Malware
2011-12-25 19:53:27 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-12-25 19:53:27 -------- d-----w- c:\windows\system32\wbem\Repository
2011-12-07 10:40:41 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2011-12-07 10:40:38 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe
2011-12-07 10:39:53 -------- d-----w- c:\windows\system32\RtlGina
2011-12-07 10:39:52 451072 ----a-w- c:\windows\system32\ISSRemoveSP.exe
2011-11-29 12:23:09 -------- d-----w- c:\programme\PhonerLite
.
==================== Find3M ====================
.
2011-12-26 20:40:28 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-11-03 17:06:56 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-10-07 11:23:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 11:21:42 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2009-02-04 10:05:50 5239808 ----a-w- c:\programme\Multimedia Card Reader Driver.msi
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: MAXTOR_STM3500320AS rev.MX15 -> Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-17
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk1\DR1[0x8ABECAB8]
3 CLASSPNP[0xF763805B] -> nt!IofCallDriver[0x804E13B9] -> \Device\Ide\IdeDeviceP2T0L0-22[0x8ABEDD98]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
user != kernel MBR !!!
.
============= FINISH: 13:09:13.62 ===============

Attached Files


Edited by always_learning, 28 December 2011 - 10:23 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,669 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:33 PM

Posted 03 January 2012 - 12:05 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/435074 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:33 AM

Posted 04 January 2012 - 03:32 PM

Hello, if you still need help, please post the requested logs.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 always_learning

always_learning
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 04 January 2012 - 07:40 PM

I will redo the logs, hopefully tomorrow. The last time I did the GMER scan, I had to sit and watch and wiggle the mouse for 3 hours, because the screensaver would come on after a few minutes even though I set it to 500 minutes. I have to make sure, the screensaver doesn't come on, or it will cause the PC to reboot and I have to start the scan over again. It seems to do this only when I run a scan. When the screensaver comes on otherwise, it caused no problems. I don't want to test too much with letting it come on during a scan, because I don't know, what else it might be causing.

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:33 AM

Posted 05 January 2012 - 06:02 AM

In that case just skip GMER and only post DDS. :)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 always_learning

always_learning
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 05 January 2012 - 09:15 PM

Here is today's dds log. This time I ran it from the user that was originally infected. Thank you so much for looking at it.
The operating system is Windows XP Professional, Version 2002, Service pack 2. I believe it is 32 bit. The last AVG scan this week didn't find any problems.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_26
Run by user at 21:06:30 on 2012-01-05
Microsoft Windows XP Professional 5.1.2600.2.1252.49.1031.18.3071.1938 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Programme\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\xampp\apache\bin\httpd.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Programme\AVG\AVG2012\avgwdsvc.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Java\jre6\bin\jqs.exe
c:\xampp\mysql\bin\mysqld.exe
C:\Programme\AVG\AVG2012\avgnsx.exe
C:\xampp\apache\bin\httpd.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Programme\AVG\AVG2012\AVGIDSAgent.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\TortoiseSVN\bin\TSVNCache.exe
C:\Programme\Microsoft IntelliType Pro\itype.exe
C:\Programme\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Multimedia Card Reader\shwicon2k.exe
C:\PROGRA~1\ScanSoft\OMNIPA~1.0\WorkFlowTray.exe
C:\Programme\ScanSoft\OmniPagePro14.0\Opware14.exe
C:\Programme\ScanSoft\OmniPagePro14.0\OpScheduler.exe
C:\Programme\ScanSoft\OmniPagePro14.0\PdfPrn\SPrnAgent.exe
C:\Programme\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Programme\HP\HP Software Update\HPWuSchd2.exe
C:\Programme\HP\hpcoretech\hpcmpmgr.exe
C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe
C:\Programme\Vimicro Corporation\VMUVC\VMonitor.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\AVG\AVG2012\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\VueSoft\VueMinder\VueMinder.exe
C:\Programme\Skype\Phone\Skype.exe
C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Programme\Windows Desktop Search\WindowsSearch.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Programme\HP\Digital Imaging\bin\hpqgalry.exe
C:\Programme\Gemeinsame Dateien\Java\Java Update\jucheck.exe
C:\WINDOWS\system32\igfxsrvc.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar mit Pop-Up-Blocker: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\programme\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: Yahoo! Toolbar mit Pop-Up-Blocker: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\programme\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\programme\yahoo!\companion\installs\cpn\yt.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\programme\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\programme\avg\avg2012\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programme\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\programme\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Yahoo! Toolbar mit Pop-Up-Blocker: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\programme\yahoo!\companion\installs\cpn\yt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\programme\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\programme\epson\epson web-to-page\EPSON Web-To-Page.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {32004B8A-44A9-43E7-84E9-808838809519} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\programme\gemeinsame dateien\ahead\lib\NMBgMonitor.exe"
uRun: [Remote Control Editor] "c:\programme\gemeinsame dateien\terratec\remote\TTTVRC.exe"
uRun: [MSMSGS] "c:\programme\messenger\msmsgs.exe" /background
uRun: [EPSON Stylus S20 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatieae.exe /fu "c:\windows\temp\E_S10.tmp" /EF "HKCU"
uRun: [VueMinder] "c:\programme\vuesoft\vueminder\VueMinder.exe" 1
uRun: [Skype] "c:\programme\skype\phone\Skype.exe" /nosplash /minimized
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [itype] "c:\programme\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\programme\microsoft intellipoint\ipoint.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NWEReboot]
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [TrayServer] c:\progra~1\magix\video_~1\TrayServer.exe
mRun: [Sunkist2k] c:\programme\multimedia card reader\shwicon2k.exe
mRun: [SSBkgdUpdate] "c:\programme\gemeinsame dateien\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [WorkFlowTray] "c:\progra~1\scansoft\omnipa~1.0\WorkFlowTray.exe"
mRun: [Opware14] "c:\programme\scansoft\omnipagepro14.0\Opware14.exe"
mRun: [OpScheduler] "c:\programme\scansoft\omnipagepro14.0\OpScheduler.exe"
mRun: [PDF Converter Registry Controller] "c:\programme\scansoft\omnipagepro14.0\pdfcnv\RegistryController.exe"
mRun: [SSPrnAgent] c:\programme\scansoft\omnipagepro14.0\pdfprn\SPrnAgent.exe
mRun: [Acrobat Assistant 8.0] "c:\programme\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Adobe_ID0EYTHM] c:\progra~1\gemein~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [HP Software Update] "c:\programme\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\programme\hp\hpcoretech\hpcmpmgr.exe"
mRun: [SunJavaUpdateSched] "c:\programme\gemeinsame dateien\java\java update\jusched.exe"
mRun: [VMonitorVMUVC] "c:\programme\vimicro corporation\vmuvc\VMonitor.exe" VMUVC
mRun: [QuickTime Task] "c:\programme\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\programme\itunes\iTunesHelper.exe"
mRun: [AVG_TRAY] "c:\programme\avg\avg2012\avgtray.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\hpdigi~1.lnk - c:\programme\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\hpimag~1.lnk - c:\programme\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\window~1.lnk - c:\programme\windows desktop search\WindowsSearch.exe
IE: Append to existing PDF - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\programme\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Google Sidewiki... - c:\programme\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Nach Microsoft E&xel exportieren - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: PDF in Word öffnen - c:\programme\scansoft\omnipagepro14.0\pdfcnv\IEShellExt.dll /500
IE: Sothink SWF Catcher - c:\programme\gemeinsame dateien\sourcetec\swf catcher\InternetExplorer.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\programme\gemeinsame dateien\sourcetec\swf catcher\InternetExplorer.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\programme\yahoo!\common\yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\programme\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\programme\avg\avg2012\avgpp.dll
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\programme\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\dokumente und einstellungen\user\anwendungsdaten\mozilla\firefox\profiles\kd0553bc.default\
FF - component: c:\programme\avg\avg2012\firefox4\components\avgssff5.dll
FF - component: c:\programme\avg\avg2012\firefox4\components\avgssff6.dll
FF - component: c:\programme\avg\avg2012\firefox4\components\avgssff7.dll
FF - component: c:\programme\avg\avg2012\firefox4\components\avgssff8.dll
FF - component: c:\programme\avg\avg2012\firefox4\components\avgssff9.dll
FF - plugin: c:\programme\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\programme\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\programme\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\programme\avg\avg2012\Firefox4
FF - Ext: Sothink SWF Catcher: {FCAB6FDD-5585-425b-95C1-5ED856F3FD08} - %profile%\extensions\{FCAB6FDD-5585-425b-95C1-5ED856F3FD08}
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-23 64512]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R2 ACEDRV08;ACEDRV08;c:\windows\system32\drivers\ACEDRV08.sys [2009-3-8 108768]
R2 acedrv11;acedrv11;c:\windows\system32\drivers\ACEDRV11.sys [2008-1-23 501560]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [2008-12-9 24636]
R2 AVGIDSAgent;AVGIDSAgent;c:\programme\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\programme\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
S2 gupdate1c9e44da0b6cb9e;Google Update Service (gupdate1c9e44da0b6cb9e);c:\programme\google\update\GoogleUpdate.exe [2009-6-3 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\programme\lavasoft\ad-aware\AAWService.exe [2011-11-3 2152152]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\programme\magix\common\database\bin\fbserver.exe [2009-2-3 1527900]
S3 gupdatem;Google Update-Dienst (gupdatem);c:\programme\google\update\GoogleUpdate.exe [2009-6-3 133104]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\programme\lavasoft\ad-aware\kernexplorer.sys [2011-11-3 15232]
S3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8192su.sys --> c:\windows\system32\drivers\RTL8192su.sys [?]
S3 SipIMNDI;T-Online Dialerschutz VoIP Service;c:\windows\system32\drivers\sipimndi.sys --> c:\windows\system32\drivers\SipIMNDI.sys [?]
S3 TTCinergyT2;TerraTec Cinergy T² Driver (TTCinergyT2.sys);c:\windows\system32\drivers\TTCinergyT2.sys [2009-2-22 16640]
S3 UPnPService;UPnPService;c:\programme\gemeinsame dateien\magix shared\upnpservice\UPnPService.exe [2009-2-27 647242]
S3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\drivers\VMUVC.sys [2010-7-5 250240]
S3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftUVC.sys [2010-7-5 476032]
.
=============== Created Last 30 ================
.
2011-12-28 01:40:42 -------- d-----w- c:\dokumente und einstellungen\user\anwendungsdaten\AVG2012
2011-12-28 01:11:29 -------- d-----w- c:\dokumente und einstellungen\user\anwendungsdaten\Malwarebytes
2011-12-27 02:00:15 -------- d-----w- c:\programme\Spybot - Search & Destroy
2011-12-27 02:00:15 -------- d-----w- c:\dokumente und einstellungen\all users\anwendungsdaten\Spybot - Search & Destroy
2011-12-27 00:34:15 -------- d-----w- c:\windows\system32\drivers\AVG
2011-12-27 00:34:15 -------- d-----w- c:\dokumente und einstellungen\all users\anwendungsdaten\AVG2012
2011-12-27 00:33:43 -------- d-----w- c:\programme\AVG
2011-12-27 00:30:04 -------- d--h--w- c:\dokumente und einstellungen\all users\anwendungsdaten\Common Files
2011-12-27 00:29:54 -------- d-----w- c:\dokumente und einstellungen\all users\anwendungsdaten\MFAData
2011-12-27 00:18:56 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-12-26 20:37:25 -------- d-----w- c:\programme\Lavasoft
2011-12-25 20:00:10 -------- d-----w- c:\dokumente und einstellungen\all users\anwendungsdaten\Malwarebytes
2011-12-25 20:00:07 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-25 20:00:07 -------- d-----w- c:\programme\Malwarebytes' Anti-Malware
2011-12-25 19:53:27 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-12-25 19:53:27 -------- d-----w- c:\windows\system32\wbem\Repository
2011-12-08 19:16:12 -------- d-----w- c:\dokumente und einstellungen\user\lokale einstellungen\anwendungsdaten\FlashDevelop
2011-12-07 10:40:41 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2011-12-07 10:40:38 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe
2011-12-07 10:39:53 -------- d-----w- c:\windows\system32\RtlGina
2011-12-07 10:39:52 451072 ----a-w- c:\windows\system32\ISSRemoveSP.exe
.
==================== Find3M ====================
.
2011-12-26 20:40:28 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-11-03 17:06:56 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-02-04 10:05:50 5239808 ----a-w- c:\programme\Multimedia Card Reader Driver.msi
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: MAXTOR_STM3500320AS rev.MX15 -> Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-17
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk1\DR1[0x8ABF5AB8]
3 CLASSPNP[0xF763805B] -> nt!IofCallDriver[0x804E13B9] -> \Device\Ide\IdeDeviceP2T0L0-22[0x8ABD5D98]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB

; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
user != kernel MBR !!!
.
============= FINISH: 21:07:26,67 ===============

Attached Files



#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:33 AM

Posted 06 January 2012 - 03:46 AM

Hi, I first want to see a dump of your drive's MBR to make sure it is not infected.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1

  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 always_learning

always_learning
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 10 January 2012 - 12:48 PM

Hello,
Thank you.
My partner's computer showed trojans too the day I got your message, so I haven't done it yet.

I wonder, if I got this malware from the server of my website. I had made a page for my teacher to upload a file, and forgotten to take it down again. One of the trojans was in a subfolder of that website. I didn't take notice, which subfolder it was in. I had just deleted the whole folder that page was on on the server, so I couldn't check, what files were in the upload folder.

So, in any case, it may not have been that Avira couldn't detect it, unless Avira is supposed to check anything downloaded through Dreamweaver too.

It's been a few days, my partner's computer has not acted weird so far, so maybe we can do your instructions now. My partner had also downloaded files from our website.

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:33 AM

Posted 11 January 2012 - 07:13 AM

That is indeed possible however hard to say.
For the steps above you just need a working computer, even if you suspect it might be infected, it will make no difference you can use it to create the xPUD CD.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 always_learning

always_learning
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 12 January 2012 - 01:22 PM

Hi Elise,
I just burnt the CD, before I try to boot from it, I want to tell you a couple more things I found:
The "Application Data" folder on the user, where I ran the scans is completely empty. Most of the folders on that user are empty. When I installed Malwarebytes I should have changed the name of the installer, and didn't.

Today, when I booted up, the message "Your firewall is not on..." (don't know exact words, but it's that same misspelled English as the message, when this whole problem started) came up again. It disappeared after a short time. I haven't rebooted yet since I saw that message.

I don't know, if I have the Windows CD for this computer. I bought it used from someone who had a student put it together for him, and we have recently moved across the ocean and back - I don't remember, which software was for which computer, as I left my other one on the first move.

In any case, this computer is in German, and so I translate things the best I can (not very used to German computers).

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:33 AM

Posted 12 January 2012 - 01:51 PM

Certain types of malware hide personal files to give the impression they were deleted, this may be the case here as well.

I'll wait for the MBR dump.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 always_learning

always_learning
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 12 January 2012 - 02:32 PM

Hi Elise,
Yeah, my computer booted up again and I finally have the mbr.bin file. But now there is no button to attach it.

#13 always_learning

always_learning
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 12 January 2012 - 02:33 PM

Ok, I found it.

Attached Files

  • Attached File  mbr.zip   534bytes   3 downloads


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:33 AM

Posted 12 January 2012 - 03:07 PM

Does your computer boot up normally? While the MBR is not infected, the partition table looks a bit strange.
Do you have two NTFS partitions on this drive?

Please download and run unhide.exe and see if that restores the files.

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 always_learning

always_learning
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 12 January 2012 - 03:58 PM

Hi Elise,
I ran unhide. It still says the folders are empty. It also gives me an "access denied" message. The user I am in is an admin. It tells me the desktop folder is empty too, and gives me "access denied" for it also, if I try to open it.

It does have weird partitioning. I believe it has 2 hard drives, and each have 2 partitions.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users