PDA

View Full Version : Virus/Rootkit



tunafish
2011-09-23, 18:17
Hi, our computer got some sort of malware recently. It makes the web browser load very slow, and sometimes crashes it. It also redirects the web browser. It crashes the video card driver as well, making it have to continually recover.

My brother has already run a lot of programs to try to fix this, so I will include a list of what has been run. I read the FAQ here, and want to include this information. I will also include the DDS log as requested, and any other log that you guys may want.

Here is a list of programs that have been run already.

Avast
TDSSKiller
Combofix
GMER
Malwarebytes.
HiJackThis!
DDS
OTL
sar_15_sfx
Microsoft Security Essentials
Eset Online Scan


Avast finds Win32.Rloader-B and deletes it, but it comes back on restart. TDSSKiller finds Win32.Rloader.a. Avast asks to do a boot time scan, but that fails to delete the files during the scan.

Eset online scan was blue screening the computer, but came back clean after running TDSSKiller. Bitdefender online scan will not load anything at all.

I have the logs for all of the scans above, but I do not want to spam the forums, so I will wait until asked.

Thanks for any help.

Below is the requested DDS log.

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19019
Run by at 12:53:08 on 2011-09-21
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3062.2013 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Steam\steam.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskeng.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [Steam] "c:\steam\steam.exe" -silent
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} - hxxp://quickscan.bitdefender.com/qsax/qsax.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 68.87.68.166 68.87.74.166
TCP: Interfaces\{82AC1533-0739-4F96-AF86-4EA84649223D} : DhcpNameServer = 68.87.68.166 68.87.74.166
TCP: Interfaces\{9D3AF5F3-16E6-4FE9-B109-C27ADDCF393E} : DhcpNameServer = 68.87.68.166 68.87.74.166
.
============= SERVICES / DRIVERS ===============
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2011-6-6 28552]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-9-21 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-9-21 320856]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-9-21 20568]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-9-21 54616]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-9-21 44768]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2010-2-24 21504]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-7-15 2255464]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2011-8-3 379496]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6032.sys [2009-9-23 191656]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2011-9-6 139368]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 ProfSvc32;User Profile Service ;c:\programdata\audiokse32.exe --> c:\programdata\AUDIOKSE32.exe [?]
S3 SaiK0836;SaiK0836;c:\windows\system32\drivers\SaiK0836.sys [2010-2-24 107008]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
S4 AsSysCtrlService;ASUS System Control Service;c:\program files\asus\assysctrlservice\1.00.00\AsSysCtrlService.exe [2002-1-1 86016]
S4 StarWindServiceAE;StarWind AE Service;c:\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2009-12-23 370688]
.
=============== Created Last 30 ================
.
2011-09-21 11:45:51 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-09-21 11:45:50 54616 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-09-21 11:45:38 41184 ----a-w- c:\windows\avastSS.scr
2011-09-19 06:32:18 -------- d-----w- c:\users\appdata\roaming\Blueberry
2011-09-19 06:31:27 -------- d-----w- c:\users\appdata\roaming\LogSys
2011-09-19 06:31:26 -------- d-----w- c:\programdata\LogSys
2011-09-19 06:13:16 -------- d-----w- c:\users\appdata\local\TechSmith
2011-09-08 09:26:47 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2011-09-08 09:26:47 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2011-09-08 09:26:47 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2011-09-08 09:26:47 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2011-09-08 09:26:47 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2011-09-08 09:26:47 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2011-09-08 09:26:47 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2011-09-08 09:26:46 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2011-09-08 06:24:51 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-06 05:22:23 6613096 ----a-w- c:\windows\system32\nvwgf2um.dll
2011-09-06 05:22:23 57960 ----a-w- c:\windows\system32\OpenCL.dll
2011-09-06 05:22:23 16595560 ----a-w- c:\windows\system32\nvoglv32.dll
2011-09-06 05:22:22 914024 ----a-w- c:\windows\system32\nvdispco32.dll
2011-09-06 05:22:22 875112 ----a-w- c:\windows\system32\nvgenco32.dll
2011-09-06 05:22:22 5404776 ----a-w- c:\windows\system32\nvcuda.dll
2011-09-06 05:22:22 2391656 ----a-w- c:\windows\system32\nvcuvid.dll
2011-09-06 05:22:22 2090088 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-09-06 05:22:22 17193576 ----a-w- c:\windows\system32\nvcompiler.dll
2011-09-06 05:22:22 12636776 ----a-w- c:\windows\system32\nvd3dum.dll
2011-09-06 05:22:22 10304104 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2011-09-06 04:41:23 -------- d-----w- c:\programdata\NVIDIA(43)
2011-09-06 04:39:57 66664 ----a-w- c:\windows\system32\nvshext.dll
2011-09-06 04:39:57 600680 ----a-w- c:\windows\system32\easyupdatusapiu.dll
2011-09-06 04:39:57 599144 ----a-w- c:\windows\system32\nvvsvc.exe
2011-09-06 04:39:57 3730024 ----a-w- c:\windows\system32\nvcpl.dll
2011-09-06 04:39:57 2558568 ----a-w- c:\windows\system32\nvsvc.dll
2011-09-06 04:39:57 111208 ----a-w- c:\windows\system32\nvmctray.dll
2011-09-06 04:39:50 -------- d-----w- c:\programdata\NVIDIA Corporation
2011-09-06 04:39:01 865896 ----a-w- c:\windows\system32\nvhdagenco322040.dll
2011-09-06 04:39:01 26216 ----a-w- c:\windows\system32\nvhdap32.dll
2011-09-06 04:39:01 139368 ----a-w- c:\windows\system32\drivers\nvhda32v.sys
2011-09-06 04:39:00 2412136 ----a-w- c:\windows\system32\nvapi.dll
.
==================== Find3M ====================
.
2011-08-20 06:30:29 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-03 07:31:54 311912 ----a-w- c:\windows\system32\nvStreaming.exe
2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
.
============= FINISH: 12:54:23.39 ===============

shelf life
2011-10-09, 19:52
hi,

Your post is a few days old. If you still need help simply reply back.