Jump to content

Recommended Posts

Greetings,

My computer was infected with Rogue Antivirus 2010. I ran full scans with Avira and MBAM which removed several items. Subsequent scans with MBAM keep finding the same problem: "Files Infected: C:\Windows\system32\us?rinit.exe (Rogue.Antivirus2010)".

I followed the instructions in the "I'm infected...." post and have copied/attached logs as instructed. Two discrepancies/differences were noted: 1)Defogger did NOT prompt me to reboot, although I did receive a "finished" message. I manually re-booted. 2)DDS did not generate two logs as described. Only "DDS.txt" appeared. There was no sign of "Attach.txt."

Thanks in advance!

***********************

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4862

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18975

10/17/2010 2:01:50 PM

mbam-log-2010-10-17 (14-01-50).txt

Scan type: Quick scan

Objects scanned: 162282

Time elapsed: 11 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\system32\us?rinit.exe (Rogue.Antivirus2010) -> Quarantined and deleted successfully.

*************************

DDS (Ver_10-10-10.03) - NTFSx86

Run by Patrick at 19:01:55.93 on Sun 10/17/2010

Internet Explorer: 8.0.6001.18975

Microsoft

Attach.zip

Link to post
Share on other sites

Hello TK421! Welcome to Malwarebytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Follow my instructions step by step if there is a problem somewhere, stop and tell me.
  • Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.
  • Keep me informed about any changes.

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Please download Rootkit Unhooker and save it to your desktop.

  • Double-click RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth Code, Files, and Code Hooks
  • Uncheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it, typically your desktop. Click Close
  • Copy the entire contents of the report and paste it in your next reply.

Note - You may get this warning it is ok, just ignore it."Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

Link to post
Share on other sites

RkU Version: 3.8.388.590, Type LE (SR2)

==============================================

OS Name: Windows Vista

Version 6.0.6002 (Service Pack 2)

Number of processors #2

==============================================

>Drivers

==============================================

0x8B804000 C:\Windows\system32\DRIVERS\igdkmd32.sys 7225344 bytes (Intel Corporation, Intel Graphics Kernel Mode Driver)

0x81E1E000 C:\Windows\system32\ntkrnlpa.exe 3903488 bytes (Microsoft Corporation, NT Kernel & System)

0x81E1E000 PnpManager 3903488 bytes

0x81E1E000 RAW 3903488 bytes

0x81E1E000 WMIxWDM 3903488 bytes

0x932F0000 Win32k 2109440 bytes

0x932F0000 C:\Windows\System32\win32k.sys 2109440 bytes (Microsoft Corporation, Multi-User Win32 Driver)

0x8CA00000 C:\Windows\system32\drivers\RTKVHDA.sys 2093056 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)

0x8CC02000 C:\Windows\system32\DRIVERS\AGRSM.sys 1163264 bytes (Agere Systems, SoftModem Device Driver)

0x87A0E000 C:\Windows\System32\Drivers\Ntfs.sys 1114112 bytes (Microsoft Corporation, NT File System Driver)

0x82E08000 C:\Windows\system32\drivers\ndis.sys 1093632 bytes (Microsoft Corporation, NDIS 6.0 wrapper driver)

0x87802000 C:\Windows\System32\drivers\tcpip.sys 958464 bytes (Microsoft Corporation, TCP/IP Driver)

0x8C2B6000 C:\Windows\system32\DRIVERS\athr.sys 946176 bytes (Atheros Communications, Inc., Atheros Extensible Wireless LAN device driver)

0x804DB000 C:\Windows\system32\CI.dll 917504 bytes (Microsoft Corporation, Code Integrity Module)

0xAA802000 C:\Windows\system32\drivers\peauth.sys 909312 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)

0x8D228000 C:\Windows\System32\Drivers\dump_iaStor.sys 843776 bytes

0x82C0A000 C:\Windows\system32\DRIVERS\iaStor.sys 843776 bytes (Intel Corporation, Intel Matrix Storage Manager driver - ia32)

0x8D33F000 C:\Windows\system32\drivers\spsys.sys 720896 bytes (Microsoft Corporation, security processor)

0x8BEE8000 C:\Windows\System32\drivers\dxgkrnl.sys 659456 bytes (Microsoft Corporation, DirectX Graphics Kernel)

0x8C208000 C:\Windows\system32\DRIVERS\HDAudBus.sys 577536 bytes (Microsoft Corporation, High Definition Audio Bus Driver)

0x8060E000 C:\Windows\system32\drivers\Wdf01000.sys 507904 bytes (Microsoft Corporation, WDF Dynamic)

0x82D53000 C:\Windows\System32\Drivers\ksecdd.sys 462848 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)

0x80411000 C:\Windows\system32\mcupdate_GenuineIntel.dll 458752 bytes (Microsoft Corporation, Intel Microcode Update Library)

0x87965000 C:\Windows\system32\drivers\HTTP.sys 446464 bytes (Microsoft Corporation, HTTP Protocol Stack)

0xA90EA000 C:\Windows\System32\DRIVERS\srv.sys 319488 bytes (Microsoft Corporation, Server driver)

0x80740000 C:\Windows\System32\drivers\volmgrx.sys 303104 bytes (Microsoft Corporation, Volume Manager Extension Driver)

0x8C6E7000 C:\Windows\system32\drivers\afd.sys 294912 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)

0x80697000 C:\Windows\system32\drivers\acpi.sys 286720 bytes (Microsoft Corporation, ACPI Driver for NT)

0x87B5C000 C:\Windows\system32\DRIVERS\tos_sps32.sys 274432 bytes (TOSHIBA Corporation, tos_sps2)

0x8049A000 C:\Windows\system32\CLFS.SYS 266240 bytes (Microsoft Corporation, Common Log File System Driver)

0x807AF000 C:\Windows\system32\DRIVERS\storport.sys 266240 bytes (Microsoft Corporation, Microsoft Storage Port Driver)

0x8BFA0000 C:\Windows\system32\DRIVERS\USBPORT.SYS 253952 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)

0x8C771000 C:\Windows\system32\DRIVERS\rdbss.sys 245760 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)

0x82F3E000 C:\Windows\system32\drivers\NETIO.SYS 241664 bytes (Microsoft Corporation, Network I/O Subsystem)

0xA9071000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 233472 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)

0x87B1E000 C:\Windows\system32\drivers\volsnap.sys 233472 bytes (Microsoft Corporation, Volume Shadow Copy Driver)

0x8C64F000 C:\Windows\system32\DRIVERS\usbhub.sys 217088 bytes (Microsoft Corporation, Default Hub Driver for USB)

0x821D7000 ACPI_HAL 208896 bytes

0x821D7000 C:\Windows\system32\hal.dll 208896 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)

0x82D08000 C:\Windows\system32\drivers\fltmgr.sys 204800 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)

0x8CDCB000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)

0x82FAF000 C:\Windows\system32\DRIVERS\msiscsi.sys 192512 bytes (Microsoft Corporation, Microsoft iSCSI Initiator Driver)

0x8C3BB000 C:\Windows\system32\DRIVERS\SynTP.sys 192512 bytes (Synaptics, Inc., Synaptics Touchpad Driver)

0x8C695000 C:\Windows\system32\drivers\portcls.sys 184320 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))

0x82F13000 C:\Windows\system32\drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)

0x8C60E000 C:\Windows\system32\DRIVERS\ks.sys 172032 bytes (Microsoft Corporation, Kernel CSA Library)

0x87928000 C:\Windows\system32\DRIVERS\nwifi.sys 172032 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)

0xA90C2000 C:\Windows\System32\DRIVERS\srv2.sys 163840 bytes (Microsoft Corporation, Smb 2.0 Server driver)

0x87BB6000 C:\Windows\System32\drivers\ecache.sys 159744 bytes (Microsoft Corporation, Special Memory Device Cache)

0x806EE000 C:\Windows\system32\drivers\pci.sys 159744 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)

0x8C6C2000 C:\Windows\system32\drivers\drmk.sys 151552 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)

0x82DCF000 C:\Windows\system32\DRIVERS\ndiswan.sys 143360 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))

0x8C7CE000 C:\Windows\system32\DRIVERS\avipbb.sys 139264 bytes (Avira GmbH, Avira Driver for Security Enhancement)

0x87907000 C:\Windows\system32\drivers\CLASSPNP.SYS 135168 bytes (Microsoft Corporation, SCSI Class System Dll)

0xA9031000 C:\Windows\system32\drivers\mrxdav.sys 135168 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)

0x8C295000 C:\Windows\system32\DRIVERS\Rtlh86.sys 135168 bytes (Realtek Corporation , Realtek 8101E/8168/8169 NDIS6 32-bit Driver )

0x8CD4E000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)

0xA9052000 C:\Windows\system32\DRIVERS\mrxsmb.sys 126976 bytes (Microsoft Corporation, Windows NT SMB Minirdr)

0x82CE0000 C:\Windows\system32\drivers\ataport.SYS 122880 bytes (Microsoft Corporation, ATAPI Driver Extension)

0x879D2000 C:\Windows\System32\DRIVERS\srvnet.sys 118784 bytes (Microsoft Corporation, Server Network driver)

0x878EC000 C:\Windows\System32\drivers\fwpkclnt.sys 110592 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)

0x8D30F000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)

0xA9003000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)

0x82F97000 C:\Windows\system32\DRIVERS\cdrom.sys 98304 bytes (Microsoft Corporation, SCSI CD-ROM Driver)

0xA90AA000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 98304 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)

0x8C7B7000 C:\Windows\System32\Drivers\dfsc.sys 94208 bytes (Microsoft Corporation, DFS Namespace Client Driver)

0x82FE9000 C:\Windows\system32\DRIVERS\rasl2tp.sys 94208 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)

0xAA8FB000 C:\Windows\system32\DRIVERS\cdfs.sys 90112 bytes (Microsoft Corporation, CD-ROM File System Driver)

0x8C72F000 C:\Windows\system32\DRIVERS\pacer.sys 90112 bytes (Microsoft Corporation, QoS Packet Scheduler)

0x8CDA1000 C:\Windows\system32\DRIVERS\tdx.sys 90112 bytes (Microsoft Corporation, TDI Translation Driver)

0x8D32A000 C:\Windows\system32\DRIVERS\avgntflt.sys 86016 bytes (Avira GmbH, Avira Minifilter Driver)

0xA901C000 C:\Windows\System32\drivers\mpsdrv.sys 86016 bytes (Microsoft Corporation, Microsoft Protection Service Driver)

0x805CF000 C:\Windows\system32\DRIVERS\rassstp.sys 86016 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)

0x805BB000 C:\Windows\system32\DRIVERS\raspptp.sys 81920 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)

0x8D207000 C:\Windows\system32\drivers\RTSTOR.SYS 81920 bytes (Realtek Semiconductor Corp., Realtek USB Mass Storage Driver for Vista)

0x8CDB7000 C:\Windows\system32\DRIVERS\smb.sys 81920 bytes (Microsoft Corporation, SMB Transport driver)

0x8C39D000 C:\Windows\system32\DRIVERS\i8042prt.sys 77824 bytes (Microsoft Corporation, i8042 Port Driver)

0x87952000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)

0x8C758000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)

0x87BDD000 C:\Windows\system32\drivers\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)

0x8C684000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)

0x80481000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)

0x82D3A000 C:\Windows\system32\drivers\fileinfo.sys 65536 bytes (Microsoft Corporation, FileInfo Filter Driver)

0x8D3EF000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)

0x8078A000 C:\Windows\System32\drivers\mountmgr.sys 65536 bytes (Microsoft Corporation, Mount Point Manager)

0x805E4000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Terminal Server Driver)

0x82F84000 C:\Windows\system32\DRIVERS\intelppm.sys 61440 bytes (Microsoft Corporation, Processor Device Driver)

0x8D300000 C:\Windows\system32\DRIVERS\monitor.sys 61440 bytes (Microsoft Corporation, Monitor Driver)

0x87BA7000 C:\Windows\System32\Drivers\mup.sys 61440 bytes (Microsoft Corporation, Multiple UNC Provider driver)

0x80715000 C:\Windows\System32\drivers\partmgr.sys 61440 bytes (Microsoft Corporation, Partition Management Driver)

0x807F0000 C:\Windows\system32\DRIVERS\raspppoe.sys 61440 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)

0x8BFDE000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)

0x80731000 C:\Windows\system32\drivers\volmgr.sys 61440 bytes (Microsoft Corporation, Volume Manager Driver)

0x93530000 C:\Windows\System32\cdd.dll 57344 bytes (Microsoft Corporation, Canonical Display Driver)

0x8C74A000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)

0x8CD8A000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)

0x807A1000 C:\Windows\system32\DRIVERS\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)

0x8D21B000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)

0x8CD1E000 C:\Windows\system32\drivers\modem.sys 53248 bytes (Microsoft Corporation, Modem Device Driver)

0x8C642000 C:\Windows\system32\DRIVERS\umbus.sys 53248 bytes (Microsoft Corporation, User-Mode Bus Enumerator)

0x8068A000 C:\Windows\system32\drivers\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)

0xAA8EA000 C:\Windows\System32\drivers\tcpipreg.sys 49152 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)

0x8CD42000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)

0x8BF89000 C:\Windows\System32\drivers\watchdog.sys 49152 bytes (Microsoft Corporation, Watchdog Driver)

0x8C3B0000 C:\Windows\system32\DRIVERS\kbdclass.sys 45056 bytes (Microsoft Corporation, Keyboard Class Driver)

0x8C3EC000 C:\Windows\system32\DRIVERS\mouclass.sys 45056 bytes (Microsoft Corporation, Mouse Class Driver)

0x8CD7F000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)

0x82DC4000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)

0x82FDE000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)

0x82F79000 C:\Windows\system32\DRIVERS\tunnel.sys 45056 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)

0x8BF95000 C:\Windows\system32\DRIVERS\usbuhci.sys 45056 bytes (Microsoft Corporation, UHCI USB Miniport Driver)

0x80727000 C:\Windows\system32\DRIVERS\BATTC.SYS 40960 bytes (Microsoft Corporation, Battery Class Driver)

0x8D2F6000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)

0x82CFE000 C:\Windows\system32\drivers\msahci.sys 40960 bytes (Microsoft Corporation, MS AHCI 1.0 Standard Driver)

0x8C638000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)

0x8C7F0000 C:\Windows\system32\DRIVERS\ndisuio.sys 40960 bytes (Microsoft Corporation, NDIS User mode I/O driver)

0x8C7AD000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)

0x8C600000 C:\Windows\system32\DRIVERS\pnarp.sys 40960 bytes (Cisco Systems, Inc., Address Resolution Protocol Driver)

0x87A00000 C:\Windows\system32\DRIVERS\purendis.sys 40960 bytes (Cisco Systems, Inc., NDIS Relay Driver)

0xAA8E0000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)

0x8BFED000 C:\Windows\system32\DRIVERS\tdcmdpst.sys 40960 bytes (TOSHIBA Corporation., TOSHIBA ODD Writing Driver for x86.)

0x87BEE000 C:\Windows\system32\drivers\crcdisk.sys 36864 bytes (Microsoft Corporation, Disk Block Verification Filter Driver)

0x8CD2B000 C:\Windows\System32\Drivers\Fs_Rec.SYS 36864 bytes (Microsoft Corporation, File System Recognizer Driver)

0xAA923000 C:\Windows\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)

0x82D4A000 C:\Windows\System32\Drivers\PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)

0x8CD98000 C:\Windows\System32\DRIVERS\rasacd.sys 36864 bytes (Microsoft Corporation, RAS Automatic Connection Driver)

0x93510000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)

0x87BF7000 C:\Windows\system32\DRIVERS\tunmp.sys 36864 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)

0x806DD000 C:\Windows\system32\drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)

0x82CD8000 C:\Windows\system32\drivers\atapi.sys 32768 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)

0x80492000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)

0x879F6000 C:\Windows\system32\DRIVERS\FwLnk.sys 32768 bytes (TOSHIBA Corporation, TOSHIBA Firmware Linkage 32-bit Driver)

0x806E6000 C:\Windows\system32\drivers\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)

0x8CD6F000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)

0x8CD77000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Miniport)

0x87B9F000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)

0x8CD3B000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)

0x8040A000 C:\Windows\system32\kdcom.dll 28672 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)

0x8CD34000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)

0x8079A000 C:\Windows\system32\DRIVERS\pciide.sys 28672 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)

0x8C3F7000 C:\Windows\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)

0x8C76B000 C:\Windows\system32\DRIVERS\ssmdrv.sys 24576 bytes (Avira GmbH, AVIRA SnapShot Driver)

0x8C745000 C:\Windows\system32\DRIVERS\jswpslwf.sys 20480 bytes (Atheros Communications, Inc., Atheros Security NDIS 6.0 Filter Driver)

0xAA8F6000 C:\Windows\system32\DRIVERS\LVPr2Mon.sys 20480 bytes (-, -)

0x87B57000 C:\Windows\system32\DRIVERS\TVALZ_O.SYS 20480 bytes (TOSHIBA Corporation, TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Driver)

0x82F93000 C:\Windows\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)

0x80724000 C:\Windows\system32\DRIVERS\compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)

0x8CDFD000 C:\Program Files\Avira\AntiVir Desktop\avgio.sys 8192 bytes (Avira GmbH, Avira AntiVir Support for Minifilter)

0x8C3FD000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)

0x8C3EA000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)

==============================================

>Stealth

==============================================

==============================================

>Files

==============================================

!-->[Hidden] C:\Users\FLORA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1CQ11U82\activity-dora-saves-the-farm%7C!category-dora_showid%7Cshowid-dora_showid%7Ctile-1%7Ctag-adj%7Cmtype-standard%7Csz-728x90%7Cdcopt-ist;ord=526845144803655700[1]1]

!-->[Hidden] C:\Users\FLORA\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WTL04610\activity-dora-saves-the-farm%7C!category-dora_showid%7Cshowid-dora_showid%7Ctile-13%7Cnode-survey%7Ctag-adj%7Cmtype-standard%7Csz-1x2;ord=371179495030649100[1]1]

==============================================

>Hooks

==============================================

ntkrnlpa.exe+0x000A87AA, Type: Inline - RelativeJump 0x81EC67AA-->81EC67B1 [ntkrnlpa.exe]

ntkrnlpa.exe-->KeFindConfigurationEntry, Type: Inline - RelativeJump 0x821722C7-->8217231D [ntkrnlpa.exe]

[3944]LWS.exe-->kernel32.dll-->FindResourceA, Type: IAT modification 0x0050A2F4-->00000000 [LWS.exe]

[3944]LWS.exe-->kernel32.dll-->FindResourceExW, Type: IAT modification 0x0050A2F0-->00000000 [LWS.exe]

[3944]LWS.exe-->kernel32.dll-->FindResourceW, Type: IAT modification 0x0050A4CC-->00000000 [LWS.exe]

[3944]LWS.exe-->kernel32.dll-->FreeResource, Type: IAT modification 0x0050A3F8-->00000000 [LWS.exe]

[3944]LWS.exe-->kernel32.dll-->GetProfileIntA, Type: IAT modification 0x0050A2EC-->00000000 [LWS.exe]

[3944]LWS.exe-->kernel32.dll-->GetProfileIntW, Type: IAT modification 0x0050A388-->00000000 [LWS.exe]

[3944]LWS.exe-->kernel32.dll-->LoadResource, Type: IAT modification 0x0050A4D0-->00000000 [LWS.exe]

[3944]LWS.exe-->kernel32.dll-->LockResource, Type: IAT modification 0x0050A4D4-->00000000 [LWS.exe]

[3944]LWS.exe-->kernel32.dll-->ntdll.dll-->NtClose, Type: IAT modification 0x77DF1050-->00000000 [LVPrcInj01.dll]

[3944]LWS.exe-->kernel32.dll-->ntdll.dll-->NtCreateFile, Type: IAT modification 0x77DF1018-->00000000 [LVPrcInj01.dll]

[3944]LWS.exe-->kernel32.dll-->ntdll.dll-->NtDeviceIoControlFile, Type: IAT modification 0x77DF1054-->00000000 [LVPrcInj01.dll]

[3944]LWS.exe-->kernel32.dll-->ntdll.dll-->NtDuplicateObject, Type: IAT modification 0x77DF1354-->00000000 [LVPrcInj01.dll]

[3944]LWS.exe-->kernel32.dll-->SizeofResource, Type: IAT modification 0x0050A4D8-->00000000 [LWS.exe]

[3944]LWS.exe-->user32.dll-->LoadMenuA, Type: IAT modification 0x0050A7E0-->00000000 [LWS.exe]

[3944]LWS.exe-->user32.dll-->LoadMenuW, Type: IAT modification 0x0050A6E8-->00000000 [LWS.exe]

[3944]LWS.exe-->user32.dll-->LoadStringA, Type: IAT modification 0x0050A7DC-->00000000 [LWS.exe]

[3944]LWS.exe-->user32.dll-->LoadStringW, Type: IAT modification 0x0050A7D8-->00000000 [LWS.exe]

Link to post
Share on other sites

Perform a full scan with Avira and let it delete everything it is finding.

Then reboot.

After reboot, open your Avira and select "reports".

There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.

Link to post
Share on other sites

Avira AntiVir Personal

Report file date: Saturday, October 23, 2010 11:20

Scanning for 2963178 virus strains and unwanted programs.

The program is running as an unrestricted full version.

Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows Vista

Windows version : (Service Pack 2) [6.0.6002]

Boot mode : Normally booted

Username : SYSTEM

Computer name : TOSHIBA

Version information:

BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00

AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/22/2010 15:53:39

AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/22/2010 15:53:39

LUKE.DLL : 10.0.2.3 104296 Bytes 3/7/2010 22:33:04

LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 03:40:49

VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 02:45:20

VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 02:45:20

VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 22:43:32

VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 12:16:32

VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 16:30:50

VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 21:51:27

VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 16:56:00

VBASE007.VDF : 7.10.9.165 4840960 Bytes 7/23/2010 16:28:17

VBASE008.VDF : 7.10.11.133 3454464 Bytes 9/13/2010 15:37:59

VBASE009.VDF : 7.10.11.134 2048 Bytes 9/13/2010 15:37:59

VBASE010.VDF : 7.10.11.135 2048 Bytes 9/13/2010 15:37:59

VBASE011.VDF : 7.10.11.136 2048 Bytes 9/13/2010 15:37:59

VBASE012.VDF : 7.10.11.137 2048 Bytes 9/13/2010 15:38:00

VBASE013.VDF : 7.10.11.165 172032 Bytes 9/15/2010 15:38:01

VBASE014.VDF : 7.10.11.202 144384 Bytes 9/18/2010 15:24:16

VBASE015.VDF : 7.10.11.231 129024 Bytes 9/21/2010 16:38:40

VBASE016.VDF : 7.10.12.4 126464 Bytes 9/23/2010 16:38:41

VBASE017.VDF : 7.10.12.38 146944 Bytes 9/27/2010 15:26:15

VBASE018.VDF : 7.10.12.64 133120 Bytes 9/29/2010 16:14:03

VBASE019.VDF : 7.10.12.99 134144 Bytes 10/1/2010 20:33:25

VBASE020.VDF : 7.10.12.122 131584 Bytes 10/5/2010 06:24:55

VBASE021.VDF : 7.10.12.148 119296 Bytes 10/7/2010 06:24:56

VBASE022.VDF : 7.10.12.175 142848 Bytes 10/11/2010 15:02:27

VBASE023.VDF : 7.10.12.198 131584 Bytes 10/13/2010 15:02:31

VBASE024.VDF : 7.10.12.216 133120 Bytes 10/14/2010 15:02:34

VBASE025.VDF : 7.10.12.238 137728 Bytes 10/18/2010 17:57:17

VBASE026.VDF : 7.10.12.254 129536 Bytes 10/20/2010 17:57:18

VBASE027.VDF : 7.10.13.22 137728 Bytes 10/22/2010 15:20:05

VBASE028.VDF : 7.10.13.23 2048 Bytes 10/22/2010 15:20:05

VBASE029.VDF : 7.10.13.24 2048 Bytes 10/22/2010 15:20:05

VBASE030.VDF : 7.10.13.25 2048 Bytes 10/22/2010 15:20:06

VBASE031.VDF : 7.10.13.27 12288 Bytes 10/22/2010 15:20:06

Engineversion : 8.2.4.84

AEVDF.DLL : 8.1.2.1 106868 Bytes 8/1/2010 17:18:38

AESCRIPT.DLL : 8.1.3.45 1368443 Bytes 9/20/2010 15:24:33

AESCN.DLL : 8.1.6.1 127347 Bytes 5/12/2010 21:17:22

AESBX.DLL : 8.1.3.1 254324 Bytes 4/26/2010 04:41:10

AERDL.DLL : 8.1.9.2 635252 Bytes 9/23/2010 16:38:46

AEPACK.DLL : 8.2.3.11 471416 Bytes 10/11/2010 16:02:56

AEOFFICE.DLL : 8.1.1.8 201081 Bytes 7/23/2010 02:10:33

AEHEUR.DLL : 8.1.2.36 2974072 Bytes 10/20/2010 17:57:33

AEHELP.DLL : 8.1.14.0 246134 Bytes 10/11/2010 16:02:30

AEGEN.DLL : 8.1.3.23 401779 Bytes 10/1/2010 16:14:08

AEEMU.DLL : 8.1.2.0 393588 Bytes 4/26/2010 04:41:07

AECORE.DLL : 8.1.17.0 196982 Bytes 9/28/2010 15:26:20

AEBB.DLL : 8.1.1.0 53618 Bytes 4/26/2010 04:41:06

AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 16:03:38

AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 16:03:35

AVREP.DLL : 10.0.0.8 62209 Bytes 2/18/2010 20:47:40

AVREG.DLL : 10.0.3.0 53096 Bytes 4/22/2010 15:53:39

AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/22/2010 15:53:39

AVARKT.DLL : 10.0.0.14 227176 Bytes 4/22/2010 15:53:39

AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 13:53:30

SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 16:57:58

AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 19:38:56

NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 18:41:00

RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 17:10:20

RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/22/2010 15:53:39

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: C:\program files\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:,

Process scan........................: on

Extended process scan...............: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Start of the scan: Saturday, October 23, 2010 11:20

Starting search for hidden objects.

c:\program files\logitech\logitech webcam software\lu\lulnchr.exe

c:\Program Files\Logitech\Logitech WebCam Software\LU\LULnchr.exe

[NOTE] The process is not visible.

The scan of running processes will be started

Scan process 'SearchFilterHost.exe' - '32' Module(s) have been scanned

Scan process 'SearchProtocolHost.exe' - '51' Module(s) have been scanned

Scan process 'taskeng.exe' - '24' Module(s) have been scanned

Scan process 'wmiprvse.exe' - '46' Module(s) have been scanned

Scan process 'svchost.exe' - '30' Module(s) have been scanned

Scan process 'vssvc.exe' - '49' Module(s) have been scanned

Scan process 'avscan.exe' - '81' Module(s) have been scanned

Scan process 'avscan.exe' - '29' Module(s) have been scanned

Scan process 'SynTPHelper.exe' - '14' Module(s) have been scanned

Scan process 'iexplore.exe' - '105' Module(s) have been scanned

Scan process 'ViewMgr.exe' - '36' Module(s) have been scanned

Scan process 'FlashUtil10k_ActiveX.exe' - '33' Module(s) have been scanned

Scan process 'iexplore.exe' - '131' Module(s) have been scanned

Scan process 'iexplore.exe' - '88' Module(s) have been scanned

Scan process 'iPodService.exe' - '30' Module(s) have been scanned

Scan process 'wmiprvse.exe' - '33' Module(s) have been scanned

Scan process 'unsecapp.exe' - '28' Module(s) have been scanned

Scan process 'igfxext.exe' - '19' Module(s) have been scanned

Scan process 'COCIManager.exe' - '36' Module(s) have been scanned

Scan process 'CFSwMgr.exe' - '72' Module(s) have been scanned

Scan process 'jusched.exe' - '22' Module(s) have been scanned

Scan process 'LWS.exe' - '68' Module(s) have been scanned

Scan process 'iTunesHelper.exe' - '73' Module(s) have been scanned

Scan process 'nmapp.exe' - '65' Module(s) have been scanned

Scan process 'nmctxth.exe' - '53' Module(s) have been scanned

Scan process 'avgnt.exe' - '53' Module(s) have been scanned

Scan process 'NDSTray.exe' - '91' Module(s) have been scanned

Scan process 'TCrdMain.exe' - '64' Module(s) have been scanned

Scan process 'SmoothView.exe' - '13' Module(s) have been scanned

Scan process 'TPwrMain.exe' - '37' Module(s) have been scanned

Scan process 'SynTPEnh.exe' - '34' Module(s) have been scanned

Scan process 'IAAnotif.exe' - '38' Module(s) have been scanned

Scan process 'RtHDVCpl.exe' - '52' Module(s) have been scanned

Scan process 'igfxsrvc.exe' - '25' Module(s) have been scanned

Scan process 'igfxpers.exe' - '23' Module(s) have been scanned

Scan process 'hkcmd.exe' - '23' Module(s) have been scanned

Scan process 'Explorer.EXE' - '138' Module(s) have been scanned

Scan process 'taskeng.exe' - '82' Module(s) have been scanned

Scan process 'Dwm.exe' - '32' Module(s) have been scanned

Scan process 'taskeng.exe' - '49' Module(s) have been scanned

Scan process 'nmsrvc.exe' - '94' Module(s) have been scanned

Scan process 'WLIDSvcM.exe' - '16' Module(s) have been scanned

Scan process 'IAANTMon.exe' - '36' Module(s) have been scanned

Scan process 'SearchIndexer.exe' - '63' Module(s) have been scanned

Scan process 'WLIDSVC.EXE' - '70' Module(s) have been scanned

Scan process 'svchost.exe' - '9' Module(s) have been scanned

Scan process 'ViewpointService.exe' - '32' Module(s) have been scanned

Scan process 'ULCDRSvr.exe' - '5' Module(s) have been scanned

Scan process 'TosIPCSrv.exe' - '18' Module(s) have been scanned

Scan process 'TosCoSrv.exe' - '20' Module(s) have been scanned

Scan process 'TODDSrv.exe' - '23' Module(s) have been scanned

Scan process 'TNaviSrv.exe' - '19' Module(s) have been scanned

Scan process 'TMachInfo.exe' - '31' Module(s) have been scanned

Scan process 'svchost.exe' - '44' Module(s) have been scanned

Scan process 'svchost.exe' - '42' Module(s) have been scanned

Scan process 'svchost.exe' - '22' Module(s) have been scanned

Scan process 'avshadow.exe' - '33' Module(s) have been scanned

Scan process 'LVPrcSrv.exe' - '29' Module(s) have been scanned

Scan process 'CFSvcs.exe' - '71' Module(s) have been scanned

Scan process 'mDNSResponder.exe' - '30' Module(s) have been scanned

Scan process 'atashost.exe' - '19' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '32' Module(s) have been scanned

Scan process 'avguard.exe' - '65' Module(s) have been scanned

Scan process 'agrsmsvc.exe' - '16' Module(s) have been scanned

Scan process 'svchost.exe' - '59' Module(s) have been scanned

Scan process 'sched.exe' - '56' Module(s) have been scanned

Scan process 'spoolsv.exe' - '82' Module(s) have been scanned

Scan process 'WLANExt.exe' - '45' Module(s) have been scanned

Scan process 'svchost.exe' - '95' Module(s) have been scanned

Scan process 'svchost.exe' - '87' Module(s) have been scanned

Scan process 'SLsvc.exe' - '23' Module(s) have been scanned

Scan process 'svchost.exe' - '37' Module(s) have been scanned

Scan process 'svchost.exe' - '154' Module(s) have been scanned

Scan process 'svchost.exe' - '113' Module(s) have been scanned

Scan process 'svchost.exe' - '64' Module(s) have been scanned

Scan process 'svchost.exe' - '33' Module(s) have been scanned

Scan process 'PresentationFontCache.exe' - '30' Module(s) have been scanned

Scan process 'svchost.exe' - '40' Module(s) have been scanned

Scan process 'winlogon.exe' - '30' Module(s) have been scanned

Scan process 'lsm.exe' - '22' Module(s) have been scanned

Scan process 'lsass.exe' - '60' Module(s) have been scanned

Scan process 'services.exe' - '33' Module(s) have been scanned

Scan process 'csrss.exe' - '14' Module(s) have been scanned

Scan process 'wininit.exe' - '26' Module(s) have been scanned

Scan process 'csrss.exe' - '14' Module(s) have been scanned

Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).

The registry was scanned ( '1657' files ).

Starting the file scan:

Begin scan in 'C:\' <SQ004816V03>

C:\Qoobox\Quarantine\C\Windows\System32\USRINI~1.EXE.vir

[DETECTION] Is the TR/FraudPack.kva.64 Trojan

Beginning disinfection:

C:\Qoobox\Quarantine\C\Windows\System32\USRINI~1.EXE.vir

[DETECTION] Is the TR/FraudPack.kva.64 Trojan

[NOTE] The file was moved to the quarantine directory under the name '4876b611.qua'.

End of the scan: Saturday, October 23, 2010 12:50

Used time: 1:26:16 Hour(s)

The scan has been done completely.

25858 Scanned directories

415559 Files were scanned

1 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

1 Files were moved to quarantine

0 Files were renamed

0 Files cannot be scanned

415558 Files not concerned

1802 Archives were scanned

0 Warnings

1 Notes

498549 Objects were scanned with rootkit scan

1 Hidden objects were found

Link to post
Share on other sites

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Now click on Advanced Settings and select the following:

    • Remove found threats
    • Scan archives
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Link to post
Share on other sites

Glad I could help! :)

Last steps:

Step 1

  1. Go to Start => Run... and copy & paste next command in the field:
    ComboFix /uninstall


  2. Then hit Enter button.

This procedure will do the following:

  • Uninstall ComboFix
  • Delete its related folders and files
  • Reset your clock settings
  • Hide file extensions
  • Hide the system/hidden files
  • Resets System Restore again

P.S.: Make sure there's a space between ComboFix and /uninstall

Step 2

Please manually delete Rootkit Unhooker, DDS and GMER.

Step 3

Please uninstall ESET Online Scanner .

Step 4

Some malware preventions:

http://www.bleepingcomputer.com/tutorials/tutorial174.html

http://forums.malwarebytes.org/index.php?showtopic=9365

Safe surfing! :)

Link to post
Share on other sites

This case is resolved, and the topic now Closed.

The procedures used here were only for -this system- and no other.

If you are a casual viewer and are having issues, please create your own New Topic and follow forum procedures.

See http://www.malwarebytes.org/forums/index.php?showtopic=9573

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.