Results 1 to 2 of 2

Thread: Possible 0access infection...

  1. 2011-12-05, 01:49 #1
    harddriver
    harddriver is offline
    Junior Member
    Join Date
    Dec 2011
    Posts
    2

    Default Possible 0access infection...

    What started as a rogue antivirus removal has turned into something much worse. I got rid of the main program and registry keys (defender.exe) and a few day later some new symptoms started to appear. First of all, we could start an antivirus install, and it would just quit. We then installed MalwareBytes and it would just stop and then we wouldn't be able to access it again. Same with other antimalware software. I rolled the system back as far as I could using system restore and then was able to do a few things. I installed AVG antivirus and MalwareBytes and ran them. Now we can't even get online. Please help. Attached are the logs I have found.


    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_22
    Run by user at 19:08:11 on 2011-12-04
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.567 [GMT -5:00]
    .
    AV: AVG Anti-Virus 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    AV: Norton AntiVirus *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\AVG\AVG2012\avgwdsvc.exe
    C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\Program Files\AVG\AVG2012\avgnsx.exe
    C:\Program Files\AVG\AVG2012\avgemcx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
    C:\Program Files\AVG\AVG2012\avgtray.exe
    C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
    C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
    C:\WINDOWS\system32\wuauclt.exe
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k HPService
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
    C:\Program Files\AVG\AVG2012\avgrsx.exe
    C:\Program Files\AVG\AVG2012\avgcsrvx.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.yahoo.com/
    uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    uURLSearchHooks: PageRage Toolbar: {9565115d-c7d6-46d3-bd63-b67b481a4368} - c:\program files\pagerage\prxtbPage.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll
    BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy 2\SDHelper.dll
    BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\17.8.0.5\IPSBHO.DLL
    BHO: PageRage Toolbar: {9565115d-c7d6-46d3-bd63-b67b481a4368} - c:\program files\pagerage\prxtbPage.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime\YontooIEClient.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    TB: PageRage Toolbar: {9565115d-c7d6-46d3-bd63-b67b481a4368} - c:\program files\pagerage\prxtbPage.dll
    TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
    uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
    mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
    mRun: [CTHelper] CTHELPER.EXE
    mRun: [CTxfiHlp] CTXFIHLP.EXE
    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
    mRun: [Spybot-S&D Cleaning] "c:\program files\spybot - search & destroy 2\SDCleaner.exe" /autoclean
    mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\802.11 wireless lan\802.11g wireless cardbus & pci adapter hw.51 v1.00\WlanCU.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
    IE: {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - c:\program files\yahoo!\search protection\ysp.dll
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
    LSP: mswsock.dll
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231364428265
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 24.159.64.23 24.217.201.67 66.189.0.100
    TCP: Interfaces\{E670D14B-44E6-4DFA-ADFC-78D79616D70D} : DhcpNameServer = 24.159.64.23 24.217.201.67 66.189.0.100
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
    Notify: SDWinLogon - SDWinLogon.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\u0o7a27c.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2418376&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - www.yahoo.com
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
    FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\ipsffplgn\components\IPSFFPl.dll
    FF - plugin: c:\documents and settings\user\local settings\application data\yahoo!\browserplus\2.7.1\plugins\npybrowserplus_2.7.1.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(extentions.y2layers.installId, bf1e877a-46d1-4764-a841-61f8c7433992
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
    R1 SDHookDriver;Spybot-S&D 2 Hook Driver;c:\program files\spybot - search & destroy 2\SDHookDrv32.sys [2011-12-3 38504]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
    R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2011-12-3 892336]
    R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2011-12-3 955816]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
    S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nav\1108000.005\symds.sys --> c:\windows\system32\drivers\nav\1108000.005\SYMDS.SYS [?]
    S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1108000.005\symefa.sys --> c:\windows\system32\drivers\nav\1108000.005\SYMEFA.SYS [?]
    S1 BHDrvx86;BHDrvx86;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\bashdefs\20101123.003\bhdrvx86.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\bashdefs\20101123.003\BHDrvx86.sys [?]
    S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1108000.005\cchpx86.sys --> c:\windows\system32\drivers\nav\1108000.005\ccHPx86.sys [?]
    S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nav\1108000.005\ironx86.sys --> c:\windows\system32\drivers\nav\1108000.005\Ironx86.SYS [?]
    S2 NAV;Norton AntiVirus;"c:\program files\norton antivirus\engine\17.8.0.5\ccsvchst.exe" /s "nav" /m "c:\program files\norton antivirus\engine\17.8.0.5\dimaster.dll" /prefetch:1 --> c:\program files\norton antivirus\engine\17.8.0.5\ccSvcHst.exe [?]
    S2 SDHookService;Spybot S&D 2 Live Protection Service;c:\program files\spybot - search & destroy 2\SDHookSvc.exe [2011-12-3 130976]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]
    S3 IDSxpx86;IDSxpx86;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\ipsdefs\20110114.002\idsxpx86.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\ipsdefs\20110114.002\IDSxpx86.sys [?]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-3 22216]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 NAVENG;NAVENG;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\virusdefs\20110116.003\naveng.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\virusdefs\20110116.003\NAVENG.SYS [?]
    S3 NAVEX15;NAVEX15;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\virusdefs\20110116.003\navex15.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nav_17.0.0.136\definitions\virusdefs\20110116.003\NAVEX15.SYS [?]
    .
    =============== Created Last 30 ================
    .
    2011-12-04 23:03:29 -------- d-----w- C:\pt
    2011-12-04 01:17:34 -------- d--h--w- C:\$AVG
    2011-12-04 00:55:38 -------- d-----w- c:\documents and settings\user\application data\AVG2012
    2011-12-04 00:52:34 -------- d-----w- c:\windows\system32\drivers\AVG
    2011-12-04 00:52:34 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
    2011-12-04 00:52:01 -------- d-----w- c:\program files\AVG
    2011-12-04 00:46:41 -------- d-----w- c:\documents and settings\user\application data\ElevatedDiagnostics
    2011-12-03 20:58:34 -------- d-----w- C:\ProcAlyzer Dumps
    2011-12-03 20:46:46 -------- d-----w- C:\SpybotBootCD
    2011-12-03 19:30:59 15224 ----a-w- c:\windows\system32\sdnclean.exe
    2011-12-03 19:24:08 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-12-03 19:24:08 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-12-03 16:39:39 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
    2011-12-03 09:03:58 -------- d-----w- C:\!KillBox
    2011-12-03 08:23:05 -------- d-----w- c:\documents and settings\user\application data\LockHunter
    2011-12-03 08:22:04 -------- d-----w- c:\program files\LockHunter
    2011-12-03 08:06:34 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
    2011-12-03 08:06:34 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
    2011-12-03 06:42:39 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-03 06:42:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-12-03 05:57:47 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
    2011-12-02 08:11:22 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
    2011-12-01 17:29:37 50112 --sha-w- c:\windows\system32\c_32092.nl_
    2011-11-23 22:39:06 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-23 20:43:58 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
    2011-11-23 20:43:24 -------- d-----w- c:\documents and settings\all users\application data\MFAData
    2011-11-23 18:46:06 -------- d-----w- c:\documents and settings\user\application data\Malwarebytes
    2011-11-23 17:29:05 -------- d-----w- c:\windows\pss
    2011-11-23 17:24:43 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    .
    ==================== Find3M ====================
    .
    2011-12-03 06:38:41 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
    2011-12-02 03:29:23 405504 ----a-w- c:\windows\system32\ati2evxx.exe
    2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-10-07 11:23:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2011-10-04 11:21:42 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
    2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 16:41:20 611328 ------w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-13 11:30:10 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
    2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
    .
    ============= FINISH: 19:08:36.40 ===============
  2. 2011-12-07, 09:09 #2
    harddriver
    harddriver is offline
    Junior Member
    Join Date
    Dec 2011
    Posts
    2

    Exclamation Close Topic, I fixed it myself

    Fixed it myself. Mods, please close this topic.
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules