Jump to content

Infected with System Restore Virus


Recommended Posts

Hi,

My laptop is infected with malware that claims to be a system restore tool and has hidden lots of my files and programs. I've tried to remove it with MBAM which reports 0 infected files, however the database is 88 days out of date, and when I try to update it I get the following error - PROGRAM_ERROR_UPDATING (2, 0, Connection refused). I've tried using Rkill, and although it does kill a couple of processes it doesn't solve the MBAM update issue. I've also tried using safe mode with networking, but the laptop hangs while trying to load the file crcdisk.

Any help you can give would be greatly appreciated. DDS report is below as requested.

Thanks

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.19088 BrowserJavaVersion: 1.5.0_17

Run by James at 20:23:28 on 2011-11-27

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2037.957 [GMT 0:00]

.

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Acer\ALaunch\ALaunchSvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Creative\Shared Files\CTDevSrv.exe

C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe

C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe

C:\Acer\Empowering Technology\eNet\eNet Service.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Acer\Mobility Center\MobilityService.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\DRIVERS\xaudio.exe

C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe

C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe

C:\Acer\Empowering Technology\ePower\ePowerSvc.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Windows\RtHDVCpl.exe

C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Launch Manager\LManager.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Virgin Mobile\Broadband Home\DataCardMonitor.exe

C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Creative\Software Update 3\SoftAuto.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe

C:\Program Files\SanDisk\SanDisk Media Manager\SanDiskMediaManager-Launcher.EXE

C:\Windows\system32\igfxext.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\ehome\ehmsas.exe

C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE

C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE

C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE

C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE

C:\Program Files\Apoint2K\ApMsgFwd.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\explorer.exe

C:\Windows\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe

C:\Windows\system32\Macromed\Flash\FlashUtil10m_ActiveX.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.bbc.co.uk/

uSEARCH PAGE =

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uSearch Bar =

uDefault_Search_URL = hxxp://www.google.com/ie

mStart Page = hxxp://en.uk.acer.yahoo.com

mDefault_Page_URL = hxxp://en.uk.acer.yahoo.com

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

uURLSearchHooks: H - No File

mURLSearchHooks: H - No File

BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.0\NppBho.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - d:\office14\GROOVEEX.DLL

BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\windows\system32\ActiveToolBand.dll

BHO: {9565115d-c7d6-46d3-bd63-b67b481a4368} - No File

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - d:\office14\URLREDIR.DLL

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers client\YontooIEClient.dll

TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll

TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.0\UIBHO.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll

TB: {9565115d-c7d6-46d3-bd63-b67b481a4368} - No File

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

uRun: [softAuto.exe] "c:\program files\creative\software update 3\SoftAuto.exe"

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [trfnnmNFIoGhaDl.exe] c:\programdata\trfnnmNFIoGhaDl.exe

mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

mRun: [ALaunch] c:\acer\alaunch\AlaunchClient.exe

mRun: [RtHDVCpl] RtHDVCpl.exe

mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [LManager] c:\progra~1\launch~1\LManager.exe

mRun: [Apoint] c:\program files\apoint2k\Apoint.exe

mRun: [eRecoveryService]

mRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe

mRun: [WarReg_PopUp] c:\acer\wr_popup\WarReg_PopUp.exe

mRun: [setPanel] c:\acer\apanel\APanel.cmd

mRun: [symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"

mRun: [DataCardMonitor] c:\program files\virgin mobile\broadband home\DataCardMonitor.exe

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [HTC Sync Loader] "c:\program files\htc\htc sync 3.0\htcUPCTLoader.exe" -startup

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [skytel] Skytel.exe

mRun: [bCSSync] "d:\office14\BCSSync.exe" /DelayServices

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\SANDIS~1.LNK -

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - d:\office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - d:\office14\ONBttnIE.dll/105

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - d:\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - d:\office14\ONBttnIELinkedNotes.dll

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{2AEC3DE6-CA55-4741-9B18-3F7B52AAA50A} : DhcpNameServer = 192.168.1.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: eNetHook.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - d:\office14\GROOVEEX.DLL

.

============= SERVICES / DRIVERS ===============

.

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20081127.001\IDSvix86.sys [2008-12-1 270384]

R2 ALaunchService;ALaunch Service;c:\acer\alaunch\ALaunchSvc.exe [2007-7-26 50688]

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-7-26 179712]

R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2008-10-3 37936]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\creative\creative centrale\CTUPnPSv.exe [2008-5-21 64000]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-3 99376]

S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-6-9 24576]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;d:\office14\GROOVE.EXE [2010-3-25 30969208]

S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2008-9-3 1251720]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-11-27 19:17:36 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{fa102f58-496b-400f-acd1-c14d94ac6555}\offreg.dll

2011-11-27 17:15:03 -------- d-----w- c:\users\james\appdata\roaming\Malwarebytes

2011-11-27 17:14:45 -------- d-----w- c:\programdata\Malwarebytes

2011-11-27 17:14:41 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-27 17:14:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-11-27 16:33:55 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{fa102f58-496b-400f-acd1-c14d94ac6555}\mpengine.dll

.

==================== Find3M ====================

.

2011-10-28 19:11:03 327568 ----a-w- c:\programdata\mpdonxRWd2Yvlz.exe

.

============= FINISH: 20:24:45.21 ===============

Link to post
Share on other sites

Welcome to the forum.

See if following this guide works.

Make sure you run rkill and then immediately run MBAM as desribed.

Most important....update MBAM before you run it.

The link below explains how to rename MBAM if needed:

http://forums.malwarebytes.org/index.php?showtopic=55485&view=findpost&p=274963

Post the logs back here, Good Luck....MrC

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.