Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware attack. AV disabled, Firewall down. System restore incomplete.


  • This topic is locked This topic is locked
11 replies to this topic

#1 Bob.vs.life

Bob.vs.life

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 23 October 2012 - 07:41 AM

8yr old Novatech PC
Pentium 4 MMX hyperthreading
2.6ghz
2Gb RAM
80Gb HDD
Connected to internet by ethernet cable via latest BT Home Hub wireless router

OS Windows XP sevice pack 3

1 x AV prog installed (Avast! 2012)

Initial Problem:

Ransomware demand.

Total freeze of screen, redundancy of mouse, & keyboard.

Action I have taken:

Re-set button on front of machine. Disconnected ethernet cable.

Result:

Normal reboot of Windows. Everything appears well, except antivirus programme not working…..

Avast! icon on ‘start’ tool-bar has red cross on it. Message in Avas!t screen says, “Unsecured. Your system is not protected. The avast! antivrus programme has been stopped or is in an inconsistent state. Please restart the programme to resume protecting your system.”

The programme does not respond to clicking on “Fix Now” or “Start Programme”.
It will not start, or perform any standard scans. Will not perform custom scan (message reads: cannot scan because no more endpoints available from the endpoint mapper) or provide real-time protection (will not turn on)

Action I have taken:

Googled similar incidences / copied actions taken by others.

On clean PC, downloaded to a memory stick RKill, Malwarebytes Pro, SUPERAntiSpyware. (renaming the Malware and SUPERAnti progs)

Re-booted infected PC in safe mode with networking.

Installed and ran Rkill

I did not reboot at this time.

Installed and performed full scan of all drives with Malwarebytes Pro.

Result: 19 serious threats found and removed

I did not reboot

Installed and ran full scan of all drives with SUPERAntiSpyware (inc high boost, and repair scan).

Result: 4 or 5 serious threats found plus 355 tracking cookies and similar. All removed or quarantined.

Reboot into normal mode.

Result: Avast! not fixed. Problem exactly as stated before.

Performed complete uninstall of Avast! through Control Panel Add/Remove Programmes.

On clean PC, downloaded fresh copy of Avast! free edition to memory stick
Re-booted infected PC in safe-mode with networking.
Installed Avast! from memory stick.
Re-booted in normal mode.

Result: Avast! not fixed. Problem exactly as stated before

Re-ran Malwarebytes Pro full scan in normal mode. Performed reboot.
Re-ran SUPERAntiSpyware full scan in normal mode. Performed reboot.

Result: Both scans show zero threats detected.

Attempted system restore.

Result: System restore did not complete.

PC status at time of writing:

System will not restore to any restore points.
Malwarebytes and SUPERAntiSpyware both declare zero threats found. Avast! not fixed. Problem exactly as stated before.

Also, Windows Security Centre “has not started or was stopped”. And
Windows Firewall “Due to an unidentified problem Windows cannot display Windows Firewall settings”

Would appreciate advice on how to proceed. Many thanks

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:53 PM

Posted 23 October 2012 - 11:17 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step. Then proceed to run aswMbr.exe as noted below.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Note:
If you are unable to run a Gmer scan due the fact you are running a 64bit machine please run the following tool and post its log.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.



Thanks and again sorry for the delay.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 Bob.vs.life

Bob.vs.life
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 24 October 2012 - 08:39 AM

Hi Fireman4it.

Following your advice I have done the following:

Backed up using Combian (8 black moon)
When executing initial backup (C:\ to G:\) I got this message: "Backup complete. Backup contains 493 errors."

When opening Gmer.exe I got this message: "GMER LoadDriver ("C:\DOCUE~1\MGC\LOCALS~1\Temp\pxtdapob.sys")error 0xC0000001: cannot create a stable subkey under a voliatile parent key.

I clicked OK, and continued with the installation.


When installing and running GMER, at Fig.14, BEFORE I had started the scan, there was already a message (in RED) in the dialogue window saying: "Service C:\WINDOWS\System32\Drivers\1e3dcd40789e451b.sys (***hidden***) (BOOT)1e3dcd40789e451b

The check boxes 1 - 8 (system - libraries) and 'Show All' were not live and couldn't be checked.
Check boxes for Services, Registry, Files, C:\ and ADS were live and already checked.

I ran the scan WITHOUT check boxes 1 - 8 checked.

The completed scan informed me of rootkit problems.


Here are the logs:

DDS (Ver_2012-10-19.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by MGC at 12:38:17 on 2012-10-24
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1333 [GMT 1:00]
.
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
C:\Program Files\Common Files\Motive\pcCMService.exe
C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IC Card Reader Driver v1.8e4\Disk_Monitor.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Program Files\Vimicro Corporation\VMUVC\VMonitor.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Boots F2CD\Picture Suite\InsDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Caplio Software\RGateLXP.exe
C:\Program Files\ArcSoft\TotalMedia Backup\uBBMonitor.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Cobian Backup 8\Cobian.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uDefault_Page_URL = hxxp://www.orange.co.uk/
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: DataMngr: {9D717F81-9148-4f12-8568-69135F087DB0} -
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} -
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Boots Insert Detect] "c:\program files\boots f2cd\picture suite\InsDetect.exe"
uRun: [kdx] c:\program files\KHost.exe -all
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
mRun: [Cmaudio] "RunDll32" cmicnfg.cpl,CMICtrlWnd
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "nwiz.exe" /install
mRun: [BluetoothAuthenticationAgent] "rundll32.exe" irprops.cpl,,BluetoothAuthenticationAgent
mRun: [Disk Monitor] "c:\program files\\ic card reader driver v1.8e4\Disk_Monitor.exe"
mRun: [PCTVOICE] "pctspk.exe"
mRun: [NeroCheck] "c:\windows\system32\NeroCheck.exe"
mRun: [RegSvr32] <no file>
dRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [RunNarrator] Narrator.exe
dRunOnce: [adawarebp] reg.exe delete "HKCU\Software\AppDataLow\Software\adawarebp" /f
dRunOnce: [adawarebp_XP] reg.exe delete "HKCU\Software\adawarebp" /f
dRunOnce: [atsssvr] c:\docume~1\locals~1\locals~1\applic~1\atsssvr.exe
uExplorerRun: [winlogon.exe] <no file>
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc2~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpobnz08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office 2000\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hposol08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ricohg~1.lnk - c:\program files\caplio software\RGateLXP.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\totalm~1.lnk - c:\program files\arcsoft\totalmedia backup\uBBMonitor.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-System: NoDispAppearancePage = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://sell-vehicle.ebay.co.uk/images/eps/eBay_Enhanced_Picture_Control_v1-0-3-50.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1350993521824
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxp://87.127.242.83/tsweb/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.1.254 192.168.1.254
TCP: Interfaces\{1922E17B-7CB2-47F2-B715-DD8AB41B55ED} : DHCPNameServer = 192.168.1.254 192.168.1.254
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - c:\program files\inbox toolbar\Inbox.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\570\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = :\windows\syste
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\progra~1\outlook express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\progra~1\outlook express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
.
============= SERVICES / DRIVERS ===============
.
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-11 116608]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2012-8-29 1385896]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-10-19 399432]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2011-8-12 87040]
R2 pcCMService;pcCMService;c:\program files\common files\motive\pcCMService.exe [2012-9-10 361472]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2012-5-30 3048136]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-10-22 729752]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-10-22 355632]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-10-22 21256]
S2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-10-22 44808]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-4-1 136176]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-10-19 676936]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-5-3 158856]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-4-1 136176]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2011-11-23 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2010-6-22 21248]
S3 iMSPQMn;iMSPQMn;\??\c:\docume~1\mgc\locals~1\temp\imspqmn.sys --> c:\docume~1\mgc\locals~1\temp\iMSPQMn.sys [?]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-10-19 22856]
S3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\system32\drivers\pixmcvc.sys [2006-1-17 32000]
S3 PIXMCVA;JVC PIX-MCV Audio Capture;c:\windows\system32\drivers\pixmcva.sys [2006-1-17 28057]
S3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\system32\drivers\pixmcvv.sys [2006-1-17 21081]
S3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;c:\windows\system32\drivers\sis163u.sys [2006-9-5 217600]
S3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\drivers\VMUVC.sys [2009-12-30 250240]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftUVC.sys [2009-12-30 476160]
S4 si3112r;si3112r;c:\windows\system32\drivers\si3112r.sys [2102-1-1 89749]
S4 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2102-1-1 9600]
.
=============== Created Last 30 ================
.
2102-01-01 07:42:32 9600 ----a-w- c:\windows\system32\drivers\SiWinAcc.sys
2102-01-01 07:42:32 89749 ----a-w- c:\windows\system32\drivers\si3112r.sys
2102-01-01 07:42:31 159744 ----a-w- c:\windows\system32\drivers\fasttx2k.sys
2102-01-01 07:40:57 9216 -c--a-w- c:\windows\system32\dllcache\wshatm.dll
2102-01-01 07:33:58 6144 -c--a-w- c:\windows\system32\dllcache\kbdth3.dll
2102-01-01 07:33:58 6144 ----a-w- c:\windows\system32\kbdth3.dll
2102-01-01 07:33:57 6144 -c--a-w- c:\windows\system32\dllcache\kbdth2.dll
2102-01-01 07:33:57 6144 ----a-w- c:\windows\system32\kbdth2.dll
2102-01-01 07:33:57 5632 -c--a-w- c:\windows\system32\dllcache\kbdth1.dll
2102-01-01 07:33:57 5632 -c--a-w- c:\windows\system32\dllcache\kbdth0.dll
2102-01-01 07:33:57 5632 ----a-w- c:\windows\system32\kbdth1.dll
2102-01-01 07:33:57 5632 ----a-w- c:\windows\system32\kbdth0.dll
2102-01-01 07:29:45 -------- d-----w- c:\windows\I386
.
==================== Find3M ====================
.
2012-10-04 18:20:48 3810 ---ha-w- c:\windows\system32\upd12100481.exe
2012-09-29 18:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-21 09:13:15 729752 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-08-21 09:12:33 41224 ----a-w- c:\windows\avastSS.scr
2004-03-28 15:14:37 3998180 ----a-w- c:\program files\ihp_kitchen.exe
2004-03-10 13:59:13 1955904 ----a-w- c:\program files\ppviewer.exe
.
============= FINISH: 12:42:26.35 ===============
Attached File  ark.txt   1.64KB   1 downloadsAttached File  attach.txt   26.85KB   0 downloads

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:53 PM

Posted 24 October 2012 - 07:30 PM

1.
Please download the latest version of TDSSKiller from here and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    Posted Image
  • Put a checkmark beside loaded modules.
    Posted Image
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    Posted Image
  • Click the Start Scan button.
    Posted Image
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    Posted Image
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Posted Image
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply:;
TdssKiller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 Bob.vs.life

Bob.vs.life
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 26 October 2012 - 06:00 AM

Hi Fireman

I have installed and run the TDSSKiller scan as per your instructions above. (logs x 3 posted below. 1 in post, 2 attached)

On reboot, all the avast! AV problems are resolved! Avast! working fine and live-protection restored. Great news.



However, Windows Firewall cannot be activated. "due to an unidentified problem Windows cannot display firewall settings".


Shall I go ahead and run the ComboFix tool?




10:58:59.0296 3484 TDSS rootkit removing tool 2.8.13.0 Oct 12 2012 17:26:47
10:58:59.0609 3484 ============================================================
10:58:59.0609 3484 Current date / time: 2012/10/26 10:58:59.0609
10:58:59.0609 3484 SystemInfo:
10:58:59.0609 3484
10:58:59.0609 3484 OS Version: 5.1.2600 ServicePack: 3.0
10:58:59.0609 3484 Product type: Workstation
10:58:59.0609 3484 ComputerName: OFFICE
10:58:59.0609 3484 UserName: MGC
10:58:59.0609 3484 Windows directory: C:\WINDOWS
10:58:59.0609 3484 System windows directory: C:\WINDOWS
10:58:59.0609 3484 Processor architecture: Intel x86
10:58:59.0609 3484 Number of processors: 2
10:58:59.0609 3484 Page size: 0x1000
10:58:59.0609 3484 Boot type: Normal boot
10:58:59.0609 3484 ============================================================
11:00:51.0453 3484 !crdlk
11:00:51.0468 3484 Drive \Device\Harddisk0\DR0 - Size: 0x1315740000 (76.34 Gb), SectorSize: 0x200, Cylinders: 0x26EC, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'A'
11:00:51.0484 3484 Drive \Device\Harddisk1\DR1 - Size: 0x3080E8000 (12.13 Gb), SectorSize: 0x200, Cylinders: 0x62E, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'A'
11:00:51.0515 3484 Drive \Device\Harddisk2\DR4 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
11:00:58.0484 3484 ============================================================
11:00:58.0484 3484 \Device\Harddisk0\DR0:
11:00:58.0484 3484 MBR partitions:
11:00:58.0484 3484 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x98A7FAD
11:00:58.0484 3484 \Device\Harddisk1\DR1:
11:00:58.0484 3484 MBR partitions:
11:00:58.0484 3484 \Device\Harddisk1\DR1\Partition1: MBR, Type 0xC, StartLBA 0x3F, BlocksNum 0x183CC6F
11:00:58.0484 3484 \Device\Harddisk2\DR4:
11:00:58.0484 3484 MBR partitions:
11:00:58.0484 3484 \Device\Harddisk2\DR4\Partition1: MBR, Type 0xC, StartLBA 0x3F, BlocksNum 0x74705982
11:00:58.0484 3484 ============================================================
11:00:58.0500 3484 C: <-> \Device\Harddisk0\DR0\Partition1
11:00:58.0515 3484 E: <-> \Device\Harddisk1\DR1\Partition1
11:00:58.0515 3484 G: <-> \Device\Harddisk2\DR4\Partition1
11:00:58.0515 3484 ============================================================
11:00:58.0515 3484 Initialize success
11:00:58.0515 3484 ============================================================
11:02:07.0515 3112 Deinitialize success
Attached File  TDSSKiller.2.8.13.0_26.10.2012_11.04.50_log.txt   319.71KB   1 downloadsAttached File  TDSSKiller.2.8.13.0_26.10.2012_11.30.29_log.txt   5.06KB   1 downloads

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:53 PM

Posted 26 October 2012 - 11:02 PM

Hello,

Thank you for the log. Please go ahead and proceed with Combofix.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:53 PM

Posted 28 October 2012 - 08:30 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 3-5 days the topic will need to be closed.

Thanks for understanding :)

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 Bob.vs.life

Bob.vs.life
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 29 October 2012 - 06:31 AM

Hi Fireman

sorry for lack of response - out gigging all weekend.

Have run combofix (see attached log)

On reboot, windows security centre running normally, and firewall setting all live. Firewall can now be enabled. Great news.

Unless you know otherwise, it would appear that my computer is restored to good health.

I now have Kdsskiler, dds.com, combofix, gmer zip, and their logs on my desktop. Can I just leave them there, or should I unistall / delete them....?


Many thanks for your advice, your time, and your patience

best

Bob

F*ck, I've just realised I didn't have my off-board secondary hard drive(drive G)connected to the computer when running combofix.
Should I have done?????Attached File  ComboFix.txt   25.17KB   1 downloads

#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:53 PM

Posted 29 October 2012 - 04:46 PM

Hello,

Please run Combofix again with your external hard drive connected.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 Bob.vs.life

Bob.vs.life
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 29 October 2012 - 06:42 PM

Here is the combofix log with external hard drive connected:


one of my original problems was the inability to use any system restore points. Shall I attempt one to see if the problem in fixed?Attached File  ComboFix.txt   11.32KB   1 downloads

#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:53 PM

Posted 29 October 2012 - 07:02 PM

NO don't do a restore point. It will restore the virus.


1.
Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

2.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.


Things to include in your next reply::
MBAM log
Eset log
How is your machine running now?

Edited by fireman4it, 29 October 2012 - 07:04 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:53 PM

Posted 03 November 2012 - 03:16 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users