TechSpot

AV security suite malware/trojan problem

Solved
By pilger
Jul 21, 2010
Topic Status:
Not open for further replies.
  1. I have a Malware problem that began with "AV security suite" which crippled any internet browsing. I remotely d/l malwarebytes/VIPRE anti-virus and installed them in Safe Mode which allows browsing again. However AV security suite still appears in anti-virus scans despite Malwarebytes cleaning it. I am experiencing unwanted web pages opening during browsing and sometimes the PC will not shut down properly. I have also noticed some unwanted process running in task manager: ROUTEa.exe, wba.exe and others. I've posted Malwarebyes, DDS and GMER logs below.

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4329

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    21/07/2010 11:07:01 AM
    mbam-log-2010-07-21 (11-07-01).txt

    Scan type: Quick scan
    Objects scanned: 136250
    Time elapsed: 19 minute(s), 21 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 4
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\AVSolution (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\AVSolution (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)



    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Owner at 11:11:22.81 on Wed 21/07/2010
    Internet Explorer: 7.0.5730.13
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1033.18.2047.1563 [GMT 10:00]

    AV: Sunbelt VIPRE *On-access scanning enabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\windows\system\hpsysdrv.exe
    C:\Windows\system32\HpSrvUI.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
    C:\WINDOWS\system32\ctfmon.exe
    svchost.exe
    C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Documents and Settings\Owner\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = about:blank
    uInternet Settings,ProxyServer = http=127.0.0.1:1036
    uInternet Settings,ProxyOverride = <local>
    uURLSearchHooks: H - No File
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    TB: {5776A2BC-D803-47F6-9DC0-8344DB8D604C} - No File
    TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
    TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
    TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
    mRun: [nwiz] nwiz.exe /install
    mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    mRun: [hp Silent Service] c:\windows\system32\HpSrvUI.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [AlcxMonitor] ALCXMNTR.EXE
    mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
    mRun: [SBAMTray] "c:\program files\sunbelt software\vipre\SBAMTray.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    dRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
    dRunOnce: [Suite] regedit -s c:\windows\temp\adj_hp.reg
    mPolicies-system: EnableLUA = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Trusted Zone: microsoft.com\update
    Trusted Zone: microsoft.com\windowsupdate
    DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
    DPF: JT's Blocks - hxxp://download.games.yahoo.com/games/clients/y/blt1_x.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: Yahoo! Checkers - hxxp://download.games.yahoo.com/games/clients/y/kt3_x.cab
    DPF: Yahoo! Chess - hxxp://download.games.yahoo.com/games/clients/y/ct1_x.cab
    DPF: Yahoo! Chinese Checkers - hxxp://download.games.yahoo.com/games/clients/y/cct0_x.cab
    DPF: Yahoo! Euchre - hxxp://download.games.yahoo.com/games/clients/y/et1_x.cab
    DPF: Yahoo! Fleet - hxxp://download.games.yahoo.com/games/clients/y/fltt3_x.cab
    DPF: Yahoo! Go - hxxp://download.games.yahoo.com/games/clients/y/gt2_x.cab
    DPF: Yahoo! Literati - hxxp://download.games.yahoo.com/games/clients/y/tt2_x.cab
    DPF: Yahoo! Pool 2 - hxxp://download.games.yahoo.com/games/clients/y/potd_x.cab
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
    DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
    DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
    DPF: {4BFD075D-C36E-4F28-BB0A-5D472795197A} - hxxp://download05.managerzone.com/soccer-3d/PowerLoader.cab
    DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} - hxxp://webserver.dyyno.com/DyynoClient/DyynoCAB.CAB
    DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/24c71afdaca1a2543803/netzip/RdxIE601.cab
    DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - hxxp://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
    DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} - hxxp://www.microsoft.com/security/controls/DoomCln.CAB
    DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
    DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
    DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxsrvc.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\051jceul.default\
    FF - plugin: c:\program files\opera\program\plugins\npdrmv2.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2004-11-16 155136]
    R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2004-11-16 5248]
    R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2010-6-18 13400]
    R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-10-13 95024]
    R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [2010-6-18 204632]
    R2 SBAMSvc;VIPRE Antivirus;c:\program files\sunbelt software\vipre\SBAMSvc.exe [2010-4-19 2726000]
    R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-6-18 69720]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2007-11-14 112688]
    S4 Fswsclds;F-Secure Windows Security Center Legacy Detection Service;c:\program files\f-secure internet security\fswsclds.exe [2004-9-21 40960]
    S4 SBPIMSvc;SB Recovery Service;c:\program files\sunbelt software\vipre\SBPIMSvc.exe [2010-4-19 181584]

    =============== Created Last 30 ================

    2010-07-16 06:40:51 0 d-----w- c:\program files\MZ Manager 2
    2010-07-09 08:18:31 552 ----a-w- c:\windows\system32\d3d8caps.dat
    2010-06-25 07:28:19 0 d-----w- c:\docume~1\owner\applic~1\PowerChallenge

    ==================== Find3M ====================

    2010-07-02 11:34:20 11270 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-05-04 17:20:32 17408 ----a-w- c:\windows\system32\corpol.dll
    2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
    2003-11-08 04:32:48 560 -c--a-w- c:\program files\Global.sw
    2003-02-22 17:54:58 107 -c--a-w- c:\program files\zMarker.txt

    ============= FINISH: 11:13:16.39 ===============



    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit quick scan 2010-07-21 13:56:28
    Windows 5.1.2600 Service Pack 3
    Running: xwizh02x.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pxtiqpob.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software, Inc.)

    ---- EOF - GMER 1.0.15 ----

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 46,713   +254

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  3. pilger

    pilger TS Rookie Topic Starter

    Combofix log attached below

    Attached Files:

  4. Broni

    Broni Malware Annihilator Posts: 46,713   +254

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    Folder::
    c:\documents and settings\NetworkService\Local Settings\Application Data\cfugaisrm
    c:\program files\F-Secure Internet Security
    
    
    Driver::
    Fswsclds
    
    Registry::
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "Suite"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=-
    
    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:1036
    
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  5. pilger

    pilger TS Rookie Topic Starter

    new combofix log attached.

    Attached Files:

    • log.txt
      File size:
      30.1 KB
      Views:
      2
  6. Broni

    Broni Malware Annihilator Posts: 46,713   +254

    Looks good :)
    How are the issues?

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ==================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  7. pilger

    pilger TS Rookie Topic Starter

    I am able to go to the windows update web page again. Before when I tried that site was blocked and windows would not download updates. Also, I have not yet experienced any pop ups after the combo fix scan. The OTL logs are below.

    Attached Files:

  8. Broni

    Broni Malware Annihilator Posts: 46,713   +254

    Wonderful :)

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
      O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
      O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
      O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {5776A2BC-D803-47F6-9DC0-8344DB8D604C} - No CLSID value found.
      O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
      O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found.
      O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
      O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {5776A2BC-D803-47F6-9DC0-8344DB8D604C} - No CLSID value found.
      O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
      O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
      O4 - HKCU..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe File not found
      O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
      O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
      O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll File not found
      O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (Reg Error: Key error.)
      O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab (Reg Error: Key error.)
      O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe (Reg Error: Key error.)
      O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
      O16 - DPF: JT's Blocks http://download.games.yahoo.com/games/clients/y/blt1_x.cab (Reg Error: Key error.)
      O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
      O16 - DPF: Yahoo! Checkers http://download.games.yahoo.com/games/clients/y/kt3_x.cab (Reg Error: Key error.)
      O16 - DPF: Yahoo! Chess http://download.games.yahoo.com/games/clients/y/ct1_x.cab (Reg Error: Key error.)
      O16 - DPF: Yahoo! Chinese Checkers http://download.games.yahoo.com/games/clients/y/cct0_x.cab (Reg Error: Key error.)
      O16 - DPF: Yahoo! Euchre http://download.games.yahoo.com/games/clients/y/et1_x.cab (Reg Error: Key error.)
      O16 - DPF: Yahoo! Fleet http://download.games.yahoo.com/games/clients/y/fltt3_x.cab (Reg Error: Key error.)
      O16 - DPF: Yahoo! Go http://download.games.yahoo.com/games/clients/y/gt2_x.cab (Reg Error: Key error.)
      O16 - DPF: Yahoo! Literati http://download.games.yahoo.com/games/clients/y/tt2_x.cab (Reg Error: Key error.)
      O16 - DPF: Yahoo! Pool 2 http://download.games.yahoo.com/games/clients/y/potd_x.cab (Reg Error: Key error.)
      [2010/06/17 23:41:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\afsluj
      [2010/06/16 14:02:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\wvpillsxw
      [20 C:\Documents and Settings\Owner\My Documents\*.tmp files -> C:\Documents and Settings\Owner\My Documents\*.tmp -> ]
      [2 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]
      [2004/06/25 16:10:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
      @Alternate Data Stream - 478 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:05EE1EEF
      
      :Services
      
      :Reg
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
      "DisableMonitoring" =-
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
      "DisableMonitoring" =-
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [resethosts]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.
  9. pilger

    pilger TS Rookie Topic Starter

    Ran the fix but there were a few side affects.

    #1 Start up takes about 5 minutes. Windows loads and then the CPU goes to a blank screen. After about 5 minutes the task bar and start menu at the bottom appears, and then the desktop. In the task manager there are only 27 processes running (usually I have 33-35). And the computer is very slow to react/process.

    #2 There is no connection to the internet. The modem is trying to "acquire a network address". The IP Address it is trying to connect to is 0.0.0.0. So something was wiped out there?!?

    I'm on the library PC. Log is posted below.

    Attached Files:

  10. Broni

    Broni Malware Annihilator Posts: 46,713   +254

    I see absolutely nothing in a fix, what could cause such issues.
    We removed mostly garbage.

    Try to restart computer and see, if it helps.
  11. pilger

    pilger TS Rookie Topic Starter

    The reboot after the scan: the log in notepad opened on restart after taking about 5 minutes from windows loading. I tried a few re-starts after that and another one a few hours later and it seems very consistent.

    Could I contact my ISP Provider and get some details to re-establish a connection? It seems the modem is working fine and the computer is talking to the modem okay. As far as I can tell it's just lost some information like who to ring etc. Or is it more serious?

    I could try another re-start but I won't be home to do that for a while. I'll let you know if it is the same.
     
  12. Broni

    Broni Malware Annihilator Posts: 46,713   +254

    Try some basic steps to see, if you can get your connection back....


    Make sure, your computer is set to obtain IP address automatically.
    1. Go Start>Settings>Control Panel (Vista/7 users: Start>Control Panel)
    2. Double click Network Connections (Vista/7 users: Network and Sharing Center)
    3. Vista/7 users - From the list of tasks on the left, click Manage network connections.
    4. For a wired network connection, right-click Local Area Connection, and then select Properties.
    For a wireless network connection, right-click Wireless Network Connection, and then select Properties.
    5. From the General tab (Vista/7 users: Networking tab), click Internet Protocol (TCP/IP), make sure it is checked, and then click Properties
    6. Click Obtain an IP Address Automatically, and then click OK.

    If that doesn't work...
    Turn off computer. Disconnect router, and modem from power source for 1 minute. At the same time disconnect ethernet cable as well.
    Reconnect everything.
    Restart computer.

    If that doesn't work, bypass router, and connect computer straight to the modem.

    If that doesn't work...
    Go Start>Run (Start search in Vista), type in:
    cmd
    Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

    In Command Prompt window, type in following commands, and hit Enter after each one:
    ipconfig /flushdns
    ipconfig /registerdns
    ipconfig /release
    ipconfig /renew
    net stop "dns client"
    net start "dns client"


    Restart computer.

    If that doesn't work...
    Go Start>Run (Start search in Vista), type in:
    cmd
    Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

    At Command Prompt, type in:
    netsh int ip reset reset.log
    Hit Enter.
    Type in:
    netsh winsock reset catalog
    Hit Enter.

    Restart computer.


    If that doesn't work...
    Download, install, and run WinSockFix: http://www.softpedia.com/get/Tweak/Network-Tweak/WinSockFix.shtml (doesn't work in Vista)
    Restart computer, and check again.

    If that doesn't work...
    Download Dial-A-Fix (DAF) (doesn't work in Vista):
    http://wiki.lunarsoft.net/wiki/Dial-a-fix#Mirrors.2Fdownload_locations.2C_and_articles

    Have XP CD available in case DAF needs a file. Likely not!

    Check all boxes on the screen (clear any restrictions if it shows any)
    Then click GO!

    When the entire page is finished click the HammerHead at bottom to go to the second DAF page.

    Here, one at a time, do the below:

    Reinstall BITS
    Reinstall Windows Firewall
    Repair Permissions
    Reset networking

    Watch for any File not found or other errors and make note as this may lead to the fix!

    Restart computer.
  13. pilger

    pilger TS Rookie Topic Starter

    Internet Connection was restored by Win Sock Fix. Task Manager is back up to 32 processes again. Restart problem is fixed.

    ipconfig /registerdns
    ipconfig /renew
    When I got to the cmd step these two came up with the same error: RPC server is unavailable.

    Also I remember when I was running Combo Fix a box came up saying logonui.exe and wuauclt.exe were infected.
  14. Broni

    Broni Malware Annihilator Posts: 46,713   +254

    Wonderful :)

    Are there any visible effects of that right now? I'd assume WinSock fixed that.

    That shouldn't be an issue by now.

    ======================================================================

    Last scan....

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
  15. pilger

    pilger TS Rookie Topic Starter

    Kaspersky scan was clean.

    Attached Files:

  16. Broni

    Broni Malware Annihilator Posts: 46,713   +254

    Cool :)

    OTL Clean-Up
    Clean up with OTL:

    * Double-click OTL.exe to start the program.
    * Close all other programs apart from OTL as this step will require a reboot
    * On the OTL main screen, press the CLEANUP button
    * Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    ======================================================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
  17. pilger

    pilger TS Rookie Topic Starter

    Thank you for sharing your computer wisdom and guiding me through this process.

    It's good to see CPU Usage: 0% in task manager again. :)
  18. Broni

    Broni Malware Annihilator Posts: 46,713   +254

    You're very welcome [​IMG]

    Good luck and stay safe :)
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.