Jump to content

Suspect Malware has me by the short and curlies


Warlock

Recommended Posts

Hi,

I think i have a valid malware concern. Antivirus (avira) will not initiate, when i run MBAM is restarts the pc (sometime only) and so on and so on... it just feels like I cant do enuf malware cleanup before it shuts me down.

SAS found 2 trojans and spamming type virus (i think)...

Pls HELP!!

______________

DDS (Ver_10-12-12.02) - NTFSx86

Run by Ryan at 19:16:23.98 on 17/12/2010

Internet Explorer: 8.0.7600.16385

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1789.988 [GMT 2:00]

AV: AntiVir Desktop *Disabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: AntiVir Desktop *Disabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}

============== Running Processes ===============

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskhost.exe

C:\Windows\Explorer.EXE

C:\Program Files\Microsoft SQL Server\MSSQL$HEALTHBRIDGE\Binn\sqlservr.exe

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\igfxpers.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe

C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe

C:\Program Files\lg_fwupdate\fwupdate.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

C:\Program Files\SMC\802.11g Wireless PCI Adapter\SMC11GMonitor.exe

C:\Program Files\Health Focus\Eminance Server\Autobackup\GBAKSchd.exe

C:\program files\Lexmark Applications\QLink\QLINK.EXE

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\HBridge\HSuite3\bin\Launcher.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\System32\mobsync.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

d:\757c4f92befaa7251857a974a1ce\MPSigStub.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Program Files\AIM Spyware Remover\AIM Spyware Remover.exe

C:\Program Files\AIM Spyware Remover\AIM Spyware Remover.exe

C:\Program Files\Rising\AntiSpyware\rstray.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\UI0Detect.exe

C:\Windows\system32\wuauclt.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Users\Ryan\Downloads\dds.scr

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GR469A~1.DLL

BHO: Rising PC Doctor: {98b7c13a-e9cd-4959-8b46-fbeab41e42a8} - c:\windows\system32\UrlFilter.dll

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [updateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"

mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"

mRun: [updateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"

mRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"

mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"

mRun: [updatePPShortCut] "c:\program files\cyberlink\powerproducer\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerproducer" updatewithcreateonce "software\cyberlink\powerproducer\5.0"

mRun: [uCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"

mRun: [LGODDFU] "c:\program files\lg_fwupdate\fwupdate.exe" blrun

mRun: [updatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [interBaseGuardian] c:\program files\borland\interbase\\bin\ibguard.exe -a

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [runeip] "c:\program files\rising\antispyware\rstray.exe" /startup

StartupFolder: c:\users\ryan\appdata\roaming\micros~1\windows\startm~1\programs\startup\health~1.lnk - c:\hbridge\hsuite3\bin\Launcher.exe

StartupFolder: c:\users\ryan\appdata\roaming\micros~1\windows\startm~1\programs\startup\interb~1.lnk - c:\windows\system32\ibmgr.cpl

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\80211g~1.lnk - c:\program files\smc\802.11g wireless pci adapter\SMC11GMonitor.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\eserver.lnk - c:\program files\health focus\eminance server\EServer.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\gbakschd.lnk - c:\program files\health focus\eminance server\autobackup\GBAKSchd.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\medpra~1.lnk - c:\windows\installer\{e9df1839-5033-4ad9-ba99-327e6895a575}\_3D10B24E93D63CA4DE7D8A.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\qlink.lnk - c:\program files\lexmark applications\qlink\QLINK.EXE

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GRA32A~1.DLL

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: kmon.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GR469A~1.DLL

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\ryan\appdata\roaming\mozilla\firefox\profiles\stm4sm2e.default\

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: JavaScript Debugger: {f13b157f-b174-47e7-a34d-4815ddfdfeb8} - %profile%\extensions\{f13b157f-b174-47e7-a34d-4815ddfdfeb8}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-9-4 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-4 67656]

R1 VWiFiFlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-15 135336]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-12-15 60936]

R2 MSSQL$HEALTHBRIDGE;MSSQL$HEALTHBRIDGE;c:\program files\microsoft sql server\mssql$healthbridge\binn\sqlservr.exe [2005-5-4 9150464]

R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller (NDIS 6.20);c:\windows\system32\drivers\L1C62x86.sys [2010-10-29 54784]

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]

R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-10-29 38224]

S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-15 267432]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-4 12872]

S3 SQLAgent$HEALTHBRIDGE;SQLAgent$HEALTHBRIDGE;c:\program files\microsoft sql server\mssql$healthbridge\binn\sqlagent.EXE [2005-5-3 323584]

=============== Created Last 30 ================

2010-12-17 09:34:25 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-12-17 09:23:17 -------- d-----w- c:\progra~2\Hitman Pro

2010-12-17 09:23:16 -------- d-----w- c:\program files\Hitman Pro 3.5

2010-12-17 09:23:11 388096 ----a-r- c:\users\ryan\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2010-12-17 09:23:11 -------- d-----w- c:\program files\Trend Micro

2010-12-16 22:30:18 -------- d-----w- c:\program files\AIM Spyware Remover

2010-12-16 22:29:43 96880 ------w- c:\windows\system32\KakaTool.dll

2010-12-16 22:29:43 637592 ------w- c:\windows\system32\kmon.dll

2010-12-16 22:29:43 15776 ------w- c:\windows\system32\kknative.exe

2010-12-16 22:29:43 100976 ------w- c:\windows\system32\UrlFilter.dll

2010-12-16 22:29:43 -------- d-----w- c:\progra~2\Rising

2010-12-16 22:29:19 -------- d-----w- c:\program files\Rising

2010-12-16 21:50:46 6273872 ------w- c:\progra~2\microsoft\windows defender\definition updates\updates\mpengine.dll

2010-12-16 10:23:43 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com

2010-12-16 10:23:22 -------- d-----w- c:\users\ryan\appdata\roaming\SUPERAntiSpyware.com

2010-12-16 10:23:22 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-12-16 10:22:36 -------- d-----w- c:\program files\common files\Wise Installation Wizard

2010-12-16 03:17:09 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{c28f2e85-7c46-4028-bd7b-1e6e2a15fe6a}\mpengine.dll

2010-12-15 21:36:20 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-12-15 21:36:19 -------- d-----w- c:\program files\Avira

2010-12-15 21:36:19 -------- d-----w- c:\progra~2\Avira

2010-12-15 19:54:53 -------- d-----w- c:\progra~2\MFAData

2010-12-15 13:33:48 -------- d-sh--w- C:\found.000

2010-12-10 00:36:41 539968 ----a-w- c:\progra~2\microsoft\ehome\packages\mcespotlight\mcespotlight-2\SpotlightResources.dll

2010-11-25 11:10:03 737072 ----a-w- c:\progra~2\microsoft\ehome\packages\sportsv2\sportstemplatecore-2\Microsoft.MediaCenter.Sports.UI.dll

2010-11-25 11:09:48 4277016 ----a-w- c:\progra~2\microsoft\ehome\packages\mceclientux\updateablemarkup-2\markup.dll

2010-11-25 11:09:28 42776 ----a-w- c:\progra~2\microsoft\ehome\packages\mceclientux\dsm-2\StartResources.dll

2010-11-25 10:08:23 4277016 ----a-w- c:\progra~2\microsoft\ehome\packages\mceclientux\updateablemarkup\markup.dll

2010-11-25 10:07:57 42776 ----a-w- c:\progra~2\microsoft\ehome\packages\mceclientux\dsm\StartResources.dll

2010-11-25 10:07:52 588096 ----a-w- c:\progra~2\microsoft\ehome\packages\mcespotlight\mcespotlight\SpotlightResources.dll

==================== Find3M ====================

2010-11-09 07:41:45 5368 ----a-w- c:\windows\system32\SWEC.sys

2010-10-29 12:05:33 20480 ----a-w- c:\windows\system32\cliconfg.728

2010-10-28 23:01:08 29480 ----a-w- c:\windows\system32\msxml3a.dll

2010-10-28 23:01:07 505128 ----a-w- c:\windows\system32\msvcp71.dll

2010-10-28 23:01:07 353576 ----a-w- c:\windows\system32\msvcr71.dll

2010-10-19 08:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe

============= FINISH: 19:16:54.15 ===============

defogger_disable.log

Attach.zip

Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.