PDA

View Full Version : Malware Issue



Aaron John
2012-07-06, 05:23
Hello Safer Networking Forums,

Here is the DDS log file and Attach as requested:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Suzanne at 22:15:52 on 2012-07-05
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3069.1248 [GMT -4:00]
.
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\hasplms.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Intuit\QuickBooks Enterprise Solutions 8.0\QBW32.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Suzanne\AppData\Local\Temp\Temp1_rootalyz-0.3.4.47.zip\RootAlyzer.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\VS Revo Group\Revo Uninstaller\Revouninstaller.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: 2YourFace Addon: {1185823f-f22f-4027-80e5-4f68acd5de5e} - c:\program files\2yourface\bho.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\intuit~1.lnk - c:\program files\common files\intuit\dataprotect\IntuitDataProtect.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~3.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbwebconnector\QBWebConnector.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~2.lnk - c:\program files\intuit\quickbooks enterprise solutions 8.0\QBW32.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: windowsupdate.com\download
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.2
TCP: Interfaces\{573641AC-606F-4BFF-9BD1-271486C646DD} : DhcpNameServer = 192.168.1.2
Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - c:\program files\intuit\quickbooks enterprise solutions 8.0\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\suzanne\appdata\roaming\mozilla\firefox\profiles\go7kjpzg.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-2-22 721000]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-1 353688]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-1 21256]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-6-1 57656]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-1 44808]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 hasplms;Sentinel HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-1-27 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-7-22 47640]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-7-4 654408]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-7-4 22344]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [2010-6-1 25596]
S3 gupdatem;Google Update Service (gupdatem);"c:\program files\google\update\googleupdate.exe" /medsvc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-6-26 113120]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-10-8 374152]
.
=============== Created Last 30 ================
.
2012-07-05 22:42:11 -------- d-----w- c:\program files\FileAlyzer 2
2012-07-04 20:40:40 65536 ----a-w- c:\windows\IFinst27.exe
2012-07-04 19:20:24 -------- d-----w- c:\users\suzanne\appdata\roaming\SUPERAntiSpyware.com
2012-07-04 19:19:09 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-07-04 19:19:09 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-07-04 18:26:10 -------- d-----w- c:\users\suzanne\appdata\roaming\Malwarebytes
2012-07-04 18:26:03 -------- d-----w- c:\programdata\Malwarebytes
2012-07-04 18:26:02 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-04 18:26:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-04 04:48:36 -------- d-----w- C:\Scripts
2012-07-04 03:52:17 -------- d-----w- c:\users\suzanne\appdata\roaming\GetFoldersize
2012-07-04 03:52:00 86016 ----a-w- c:\windows\system32\mtSplitter.ocx
2012-07-04 03:52:00 44736 ----a-w- c:\windows\system32\mtSubclass.dll
2012-07-04 03:52:00 171752 ----a-w- c:\windows\system32\mtRTF2.ocx
2012-07-04 03:52:00 1005088 ----a-w- c:\windows\system32\TList8.ocx
2012-07-04 03:51:59 2369456 ----a-w- c:\windows\system32\Codejock.CommandBars.v13.4.2.ocx
2012-07-04 03:51:59 -------- d-----w- c:\program files\GetFoldersize
2012-07-03 23:41:26 -------- d-----w- c:\programdata\MindGems
2012-07-03 23:30:49 -------- d-----w- c:\users\suzanne\appdata\roaming\JAM Software
2012-07-03 23:25:40 -------- d-----w- c:\program files\WinDirStat
2012-07-03 23:19:12 -------- d-----w- c:\program files\SpaceSniffer
2012-07-03 22:31:53 -------- d-----w- c:\program files\VS Revo Group
2012-07-03 22:05:05 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2012-07-03 18:32:58 -------- d-----w- c:\users\suzanne\appdata\local\Microsoft_Corporation
2012-07-03 14:20:25 6762896 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{d667b318-46a9-4af6-888a-85e79d445511}\mpengine.dll
2012-07-01 02:03:54 -------- d-----w- C:\My VB Scripts
2012-06-30 21:51:08 -------- d-----w- c:\users\suzanne\appdata\local\MigWiz
2012-06-30 21:33:03 49208 ----a-w- c:\program files\movie maker\google\googletoolbarnotifier\5.7.7227.1100\gth.dll
2012-06-30 21:33:03 39408 ----a-w- c:\program files\movie maker\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
2012-06-30 21:33:02 150072 ----a-w- c:\program files\movie maker\google\googletoolbarnotifier\5.7.7227.1100\gtn.dll
2012-06-30 21:33:02 1003576 ----a-w- c:\program files\movie maker\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
2012-06-30 21:33:00 182768 ----a-w- c:\program files\movie maker\google\common\google updater\GoogleUpdaterService.exe
2012-06-30 21:32:53 307824 ----a-w- c:\program files\movie maker\google\google toolbar\GoogleToolbarUser_32.exe
2012-06-30 21:32:53 192112 ----a-w- c:\program files\movie maker\google\google toolbar\GoogleToolbar_32.dll
2012-06-30 21:32:51 307824 ----a-w- c:\program files\movie maker\google\google toolbar\component\GoogleToolbarUser_32_CA551D1A255EA456.exe
2012-06-30 21:32:51 3050608 ----a-w- c:\program files\movie maker\google\google toolbar\component\GoogleToolbarDynamic_32_17695C964715481C.dll
2012-06-30 21:32:51 192112 ----a-w- c:\program files\movie maker\google\google toolbar\component\GoogleToolbar_32_D22497B1230DF65B.dll
2012-06-30 21:32:51 182768 ----a-w- c:\program files\movie maker\google\google toolbar\component\GoogleUpdaterService_5898FABCFA121C11.exe
2012-06-30 21:32:51 1721400 ----a-w- c:\program files\movie maker\google\google toolbar\component\SearchWithGoogleUpdate_3CEFEC1F9BB6F303.exe
2012-06-30 21:32:51 1231472 ----a-w- c:\program files\movie maker\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6934F32E05F1ABDC.dll
2012-06-30 21:32:51 1052272 ----a-w- c:\program files\movie maker\google\google toolbar\component\GoogleToolbarManager_F91D44FAA5479127.exe
2012-06-30 21:32:41 2325104 ----a-w- c:\program files\movie maker\google\update\download\{f69eabdd-a4bb-4555-be7e-1ea5f59bba24}\0.0.0.0\googletoolbarinstaller_en32_signed.exe
2012-06-30 20:56:31 -------- d-----w- C:\Brother
2012-06-30 20:56:27 45056 ----a-w- c:\windows\system32\BRTCPCON.DLL
2012-06-30 20:56:27 103736 ----a-w- c:\windows\system32\BRRBTOOL.EXE
2012-06-30 20:56:24 77824 ----a-w- c:\windows\system32\BRLMW03A.DLL
2012-06-30 20:56:24 25299 ----a-w- c:\windows\system32\BRLM03A.DLL
2012-06-30 20:56:19 73728 ------w- c:\windows\system32\BrDctF2.dll
2012-06-30 20:56:19 5120 ------w- c:\windows\system32\BrDctF2L.dll
2012-06-30 20:56:19 2560 ------w- c:\windows\system32\BrDctF2S.dll
2012-06-30 20:56:19 217088 ------w- c:\windows\system32\NSSearch.dll
2012-06-30 20:56:18 -------- d-----w- c:\program files\Brother
2012-06-30 20:56:17 180224 ------w- c:\windows\system32\BroSNMP.dll
2012-06-30 20:53:38 -------- d-----w- c:\programdata\Brother
2012-06-26 02:40:40 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-26 01:56:03 905600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-06-26 01:55:56 984064 ----a-w- c:\windows\system32\crypt32.dll
2012-06-26 01:55:56 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-26 01:55:55 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-26 01:55:44 1218048 ----a-w- c:\program files\windows journal\NBDoc.DLL
2012-06-26 01:55:43 1404928 ----a-w- c:\program files\common files\microsoft shared\ink\InkObj.dll
2012-06-26 01:55:42 964608 ----a-w- c:\program files\windows journal\JNWDRV.dll
2012-06-26 01:55:41 983040 ----a-w- c:\program files\windows journal\JNTFiltr.dll
2012-06-26 01:55:41 936960 ----a-w- c:\program files\common files\microsoft shared\ink\journal.dll
2012-06-26 01:55:39 47104 ----a-w- c:\program files\windows journal\PDIALOG.exe
2012-06-26 01:55:26 53120 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-06-26 01:55:01 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-26 01:54:45 1069056 ----a-w- c:\windows\system32\DWrite.dll
2012-06-26 01:54:44 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-06-26 01:54:43 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-06-26 01:54:43 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-06-26 01:54:42 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-06-26 01:54:39 2045440 ----a-w- c:\windows\system32\win32k.sys
2012-06-26 01:47:55 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-06-26 01:47:54 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-06-26 01:15:29 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-26 01:14:46 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-26 01:14:32 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-26 01:14:32 171904 ----a-w- c:\windows\system32\wuwebv.dll
.
==================== Find3M ====================
.
2012-06-28 12:52:37 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-06-28 12:52:37 57656 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-06-28 12:52:20 41224 ----a-w- c:\windows\avastSS.scr
2012-05-17 22:45:37 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-05-17 22:35:47 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-05-17 22:35:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-17 22:29:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe
.
============= FINISH: 22:16:33.27 ===============

JonTom
2012-07-20, 23:55
Hello Aaron John and :welcome:

My name is JonTom

Malware Logs can sometimes take a lot of time to research and interpret.

Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.

Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.

Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.

PLEASE NOTE: If you do not reply after 3 days your thread will be closed.


Is this a business machine or your own personal computer?

Please describe the exact problems that you are having with the machine.


Since your DDS scan is a few days old now, please re-scan with DDS and post the latest logs here for me to review (there is no need to attach any logs, just paste them directly into your replies).

In addition to the DDS logs I would also like to see a report from the following tool:


aswMBR


Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) to your desktop.
Double click the aswMBR.exe to run it.
When asked if you want to download Avast's virus definitions please select Yes.
Click the "Scan" button to start scan.

http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply.

http://public.avast.com/~gmerek/aswMBR2.png

Please post both DDS logs and the aswMBR log in your next reply along with the answers to my questions :)

JonTom
2012-07-24, 18:41
Do you still need help?

JonTom
2012-07-26, 14:27
Due to lack of response, this topic is now closed.

If you are the topic starter and need this topic reopened, please PM a staff member (include the address of this thread in your request).

Everyone else please start a new topic.