Malware that keeps transforming

[Kinseyftw]

Hey Blade,
The disc
won't run. I think perhaps because the system won't restart properly. When I choose a restart or shutdown option on the login screen everything freezes. Only holding the power button turns it in or off and when it turns on (even with th disc inserted) it opens to the safe mode options menu instead of running the disc.

[Kinseyftw]

Alrighty got some help with the clean vista install and I just updated windows. Do you have any free antivirus/antimalware/ antispyware/ or windows maintnence program suggestions that could better protect me for the future? Here's my fresh dss logs:

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 7.0.6001.18000
Run by Savage at 1:19:05 on 2011-05-21
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.4060.1893 [GMT -4:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_77d0b692\STacSV64.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_77d0b692\AESTSr64.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\CyberLink\Shared files\RichVideo64.exe
C:\Program Files\BitDefender\BitDefender 2011\pchooklaunch64.exe
C:\Program Files\BitDefender\BitDefender 2011\Antispam32\pchooklaunch32.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Common Files\BitDefender\SetupInformation\{CFB8BDCE-8814-4B9A-8EA9-31DB74FEF0AE}\setup.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Internet Explorer\ieuser.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10q_ActiveX.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Savage\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IMJYEMP8\dds[1].scr
C:\Windows\SysWOW64\WSCRIPT.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit=userinit.exe
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
mRun-x64: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun-x64: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray64.exe
mRunOnce-x64: [LinkInstaller] "C:\Program Files\Common Files\LinkInstaller.exe"
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Savage\AppData\Roaming\Mozilla\Firefox\Profiles\0kmwkioy.default\
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_77d0b692\AESTSr64.exe --> C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_77d0b692\AESTSr64.exe [?]
R2 RichVideo64;Cyberlink RichVideo64 Service(CRVS);C:\Program Files\CyberLink\Shared files\RichVideo64.exe [2011-5-21 386344]
R3 itecir;ITECIR Infrared Receiver;C:\Windows\system32\DRIVERS\itecir.sys --> C:\Windows\system32\DRIVERS\itecir.sys [?]
R3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
R3 NETw5v64;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 64 Bit ;C:\Windows\system32\DRIVERS\NETw5v64.sys --> C:\Windows\system32\DRIVERS\NETw5v64.sys [?]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;C:\Windows\system32\DRIVERS\OA001Ufd.sys --> C:\Windows\system32\DRIVERS\OA001Ufd.sys [?]
R3 OA001Vid;Creative Camera OA001 Function Driver;C:\Windows\system32\DRIVERS\OA001Vid.sys --> C:\Windows\system32\DRIVERS\OA001Vid.sys [?]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-5-20 1153368]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2008-1-20 93696]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
.
=============== Created Last 30 ================
.
2011-05-21 04:49:47 -------- d-----w- C:\Program Files\BitDefender
2011-05-21 04:43:21 -------- d-----w- C:\ProgramData\47780000-2c75-466f-41e5-e9e9273b2984
2011-05-21 04:39:32 -------- d-----w- C:\Users\Savage\AppData\Roaming\QuickScan
2011-05-21 04:39:14 -------- d-----w- C:\Program Files\Common Files\BitDefender
2011-05-21 04:36:56 327368 ----a-w- C:\Windows\SysWow64\drivers\bdfsfltr.sys
2011-05-21 04:36:54 133015 ----a-w- C:\ProgramData\bdinstall.bin
2011-05-21 04:27:21 -------- d-----w- C:\ProgramData\SmartSound Software Inc
2011-05-21 04:27:18 -------- d-----w- C:\ProgramData\eSellerate
2011-05-21 04:27:18 -------- d-----w- C:\Program Files (x86)\SmartSound Software
2011-05-21 04:11:11 -------- d-----w- C:\Users\Savage\AppData\Roaming\Malwarebytes
2011-05-21 04:11:02 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-21 04:11:01 -------- d-----w- C:\ProgramData\Malwarebytes
2011-05-21 04:10:57 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-05-21 04:10:57 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-05-21 03:47:16 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2011-05-21 03:47:16 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2011-05-21 03:06:13 -------- d-----w- C:\Program Files (x86)\TweetDeck
2011-05-21 03:02:41 -------- d-----w- C:\Users\Savage\AppData\Local\Adobe
2011-05-21 02:21:21 -------- d-----w- C:\Windows\Panther
2011-05-21 02:21:06 -------- d-sh--w- C:\Boot
2011-05-21 02:20:55 -------- d-----w- C:\Windows\System32\OEM
2011-05-21 01:08:32 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-05-21 00:14:26 -------- d-----w- C:\Users\Savage\AppData\Local\ATI
2011-05-21 00:13:03 0 ----a-w- C:\Windows\ativpsrm.bin
2011-05-21 00:06:02 600064 ----a-w- C:\Windows\System32\ctapo64.dll
2011-05-21 00:06:02 58880 ----a-w- C:\Windows\System32\AESTAR64.dll
2011-05-21 00:06:02 45568 ----a-w- C:\Windows\System32\ctppld.dll
2011-05-21 00:06:02 433152 ----a-w- C:\Windows\System32\AESTEC64.dll
2011-05-21 00:06:02 155648 ----a-w- C:\Windows\System32\AESTAC64.dll
2011-05-21 00:06:00 76288 ----a-w- C:\Windows\System32\AESTCo64.dll
2011-05-21 00:06:00 540672 ----a-w- C:\Windows\System32\idt64mp1.exe
2011-05-21 00:06:00 2828288 ----a-w- C:\Windows\System32\stlang64.dll
2011-05-21 00:06:00 10752000 ----a-w- C:\Windows\System32\idtcpl64.cpl
2011-05-21 00:03:44 729088 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iKernel.dll
2011-05-20 23:58:15 -------- d-----w- C:\Program Files (x86)\ATI Technologies
2011-05-20 23:57:20 -------- d-----w- C:\Program Files\ATI Technologies
2011-05-20 23:57:17 -------- d-----w- C:\Program Files\ATI
2011-05-20 23:54:12 90112 ----a-w- C:\Windows\System32\snymsico.dll
2011-05-20 23:54:12 62976 ----a-w- C:\Windows\System32\drivers\rimmpx64.sys
2011-05-20 23:54:12 57856 ----a-w- C:\Windows\System32\drivers\rixdpx64.sys
2011-05-20 23:54:12 55296 ----a-w- C:\Windows\System32\drivers\rimspx64.sys
2011-05-20 23:54:12 172032 ----a-w- C:\Windows\System32\rixdicon.dll
2011-05-20 23:45:30 -------- d-----w- C:\ProgramData\Citrix
2011-05-20 23:44:57 -------- d-----w- C:\Program Files (x86)\Citrix
2011-05-20 23:44:46 60968 ----a-w- C:\Users\Savage\GoToAssistDownloadHelper.exe
2011-05-20 23:44:46 -------- d-----w- C:\Users\Savage\AppData\Local\Citrix
2011-05-20 23:44:04 -------- d-----w- C:\Users\Savage\AppData\Local\Apps
2011-05-20 23:44:03 -------- d-----w- C:\Users\Savage\AppData\Local\Deployment
2011-05-20 23:37:48 -------- d-----w- C:\Program Files\Broadcom
2011-05-20 23:37:15 -------- d-----w- C:\dell
2011-05-20 23:34:36 45056 ----a-r- C:\Users\Savage\AppData\Roaming\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\NewShortcut1_42929F0FCE1447AF9FC7FF297A603021_1.exe
2011-05-20 23:34:32 -------- d-----w- C:\Windows\SysWow64\vmm32
2011-05-20 23:34:32 -------- d-----w- C:\Program Files (x86)\Dell
2011-05-20 23:34:12 -------- d-sh--w- C:\Windows\Installer
.
==================== Find3M ====================
.
2010-07-08 14:37:14 101544 ----a-w- C:\Program Files\Common Files\LinkInstaller.exe
.
============= FINISH: 1:19:30.99 ===============

[Blade81]

Hi,

It looks like there are some items of BitDefender 2011 there. Do you have the program installed and is it more than just a trial version? If you have legit license for it then it's ok to use it. I've listed a few other antivirus options below.


Good free antivirus programs are:
Antivir and
Avast!

Good commercial ones are from:
Kaspersky and
ESET

Download and run Secunia Personal Software Inspector (PSI) and fix its findings. This program helps keeping the system updated.

[Kinseyftw]

Bitdefender is a trial. I wanted some protection till I got your recs. I'll go ahead and try avast or buy kaspersky this time around since Avira dropped the ball this time around. Will the ones you mentioned alert me if malware is attptimg to make registry changes too or would that be a different program sort? Thanks so much for all your help.

[Blade81]

Hi,

Will the ones you mentioned alert me if malware is attptimg to make registry changes too or would that be a different program sort?

WinPatrol and Spybot's TeaTimer alert about registry changes in general.

[Blade81]

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.