Jump to content

Malware still closing- logs attached


Recommended Posts

I followed the guide on this link http://forums.malwarebytes.org/index.php?showtopic=9573

I'm infected - What do I do now?, Please follow these instructions to clean your system

I ran clean prgm, reinstalled Malwarebytes, still the program closes after a few seconds after it runs.

I ran DeFogger - Disable

DDS (Ver_10-12-12.02) - NTFSx86

Run by User at 5:38:03.45 on Fri 12/31/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1911.1173 [GMT -6:00]

============== Running Processes ===============

C:WINDOWSsystem32Ati2evxx.exe

C:WINDOWSsystem32svchost -k DcomLaunch

svchost.exe

C:WINDOWSSystem32svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:WINDOWSsystem32Ati2evxx.exe

C:Program FilesAVGAVG9avgchsvx.exe

C:Program FilesAVGAVG9avgrsx.exe

C:Program FilesAVGAVG9avgcsrvx.exe

C:WINDOWSsystem32spoolsv.exe

svchost.exe

C:Documents and SettingsAll UsersApplication DataEPSONEPW!3 SSRPE_S40RP7.EXE

C:Program FilesSeagateSeagateManagerSyncFreeAgentService.exe

C:Program FilesCommon FilesIntuitUpdate ServiceIntuitUpdateService.exe

C:Program FilesJavajre6binjqs.exe

C:Program FilesCommon FilesLogiShrdLVMVFMLVPrcSrv.exe

C:WINDOWSsystem32HPZipm12.exe

C:Program FilesMicrosoftSearch Enhancement PackSeaPortSeaPort.exe

c:Program FilesMicrosoft SQL Server90Sharedsqlwriter.exe

C:WINDOWSsystem32svchost.exe -k imgsvc

C:Program FilesUltraVNCWinVNC.exe

C:WINDOWSsystem32SearchIndexer.exe

C:Program FilesUltraVNCWinVNC.exe

C:WINDOWSsystem32wscntfy.exe

C:WINDOWSExplorer.EXE

C:WINDOWSsystem32ctfmon.exe

C:WINDOWSsystem32rundll32.exe

C:WINDOWSsystem32rundll32.exe

C:Program FilesInternet ExplorerIEXPLORE.EXE

C:Program FilesInternet ExplorerIEXPLORE.EXE

C:Program FilesWindows LiveToolbarwltuser.exe

C:Program FilesMicrosoftSearch Enhancement PackSCServerSCServer.exe

C:Program FilesInternet ExplorerIEXPLORE.EXE

C:WINDOWSsystem32SearchProtocolHost.exe

C:Documents and SettingsUserMy DocumentsDownloadsMalWare-removaldds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filesadobeacrobat 7.0activexAcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:program filesavgavg9avgssie.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:program filesmicrosoftsearch enhancement packsearch helperSEPsearchhelperie.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:program filesmicrosoft officeoffice12GrooveShellExtensions.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:program filescommon filesmicrosoft sharedwindows liveWindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:program fileswindows livetoolbarwltcore.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:program fileswindows livetoolbarwltcore.dll

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe

mRun: [nwiz] c:program filesnvidia corporationnviewnwiz.exe /installquiet

mRun: [NvCplDaemon] RUNDLL32.EXE c:windowssystem32NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:windowssystem32NvMcTray.dll,NvTaskbarInit

IE: E&xport to Microsoft Excel - c:progra~1micros~2office12EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:program fileswindows livewriterWriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:progra~1micros~2office12ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office12REFIEBAR.DLL

Trusted Zone: avira.comwww

Trusted Zone: blizzard.comus

Trusted Zone: intuit.comttlc

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://fb.familylink.com/we_are_related/stream/core/lib/AurigmaImageUploader/ImageUploader5.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} - hxxp://kiw.imgag.com/imgag/cp/install/crusher-kiwen.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Filter: text/html - {4e097f8d-7bcd-406a-884e-48d4f450cafe} -

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:program filesmicrosoft officeoffice12GrooveSystemServices.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:program filesavgavg9avgpp.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:progra~1common~1skypeSKYPE4~1.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: avgrsstarter - avgrsstx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:progra~1wifd1f~1MpShHook.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:program filesmicrosoft officeoffice12GrooveShellExtensions.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:program fileswindows desktop searchMSNLNamespaceMgr.dll

Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 ahcix86;ahcix86;c:windowssystem32driversahcix86.sys [2009-4-6 174600]

R0 Lbd;Lbd;c:windowssystem32driversLbd.sys [2009-10-19 64160]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:windowssystem32driversavgldx86.sys [2010-7-9 216400]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:windowssystem32driversavgmfx86.sys [2010-7-9 29584]

R1 AvgTdiX;AVG Free Network Redirector;c:windowssystem32driversavgtdix.sys [2010-7-9 243024]

R2 FreeAgentGoNext Service;Seagate Service;c:program filesseagateseagatemanagersyncFreeAgentService.exe [2009-9-25 189736]

R2 uvnc_service;uvnc_service;c:program filesultravncwinvnc.exe [2009-4-8 1693128]

R4 MBAMSwissArmy;MBAMSwissArmy;c:windowssystem32driversmbamswissarmy.sys [2010-12-30 38224]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:windowsmicrosoft.netframeworkv4.0.30319mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:program filesgoogleupdateGoogleUpdate.exe [2009-11-21 135664]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:program fileslavasoftad-awareAAWService.exe [2009-9-24 1029456]

S2 WinDefend;Windows Defender;c:program fileswindows defenderMsMpEng.exe [2006-11-3 13592]

S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:windowssystem32driversnvhda32.sys [2010-7-31 91496]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:windowsmicrosoft.netframeworkv4.0.30319wpfWPFFontCache_v0400.exe [2010-3-18 753504]

S4 avg9wd;AVG Free WatchDog;c:program filesavgavg9avgwdsvc.exe [2010-7-9 308136]

S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:program filesmicrosoft sql server100sharedsqladhlp.exe [2009-7-22 47128]

S4 RsFx0103;RsFx0103 Driver;c:windowssystem32driversRsFx0103.sys [2009-3-30 239336]

S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:program filesmicrosoft sql servermssql10.sqlexpressmssqlbinnSQLAGENT.EXE [2009-3-30 366936]

=============== Created Last 30 ================

2010-12-30 23:19:23 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys

2010-12-30 23:19:20 20952 ----a-w- c:windowssystem32driversmbam.sys

2010-12-30 23:19:20 -------- d-----w- c:program filesMalwarebytes' Anti-Malware

2010-12-30 17:58:42 -------- d-----w- c:windowssystem32wbemrepositoryFS

2010-12-30 17:58:42 -------- d-----w- c:windowssystem32wbemRepository

2010-12-30 17:58:07 -------- d--h--w- c:docume~1alluse~1applic~1{EF63305C-BAD7-4144-9208-D65528260864}

2010-12-30 17:57:51 -------- d-----w- c:program filesLavasoft

2010-12-30 17:43:45 -------- d-----w- C:_OTL

2010-12-27 18:13:55 -------- d-----w- C:$AVG

2010-12-27 17:41:16 -------- d-----w- c:docume~1alluse~1applic~1Alwil Software

2010-12-02 14:29:24 -------- d-----w- c:docume~1userapplic~1Microsoft Corporation

2010-12-02 14:06:09 -------- d-----w- c:docume~1userapplic~1DVD Flick

2010-12-02 14:05:48 40960 ----a-w- c:windowssystem32ssubtmr6.dll

2010-12-02 14:05:47 36864 ----a-w- c:windowssystem32trayicon_handler.ocx

2010-12-02 14:05:47 28672 ----a-w- c:windowssystem32mousewheel.ocx

2010-12-02 14:05:47 212240 ----a-w- c:windowssystem32richtx32.ocx

2010-12-02 14:05:47 164144 ----a-w- c:windowssystem32comct232.ocx

2010-12-02 14:05:47 -------- d-----w- c:program filesDVD Flick

2010-12-02 13:54:00 839680 ----a-w- c:windowssystem32lameACM.acm

2010-12-02 13:54:00 178176 ----a-w- c:windowssystem32unrar.dll

2010-12-02 13:53:59 881664 ----a-w- c:windowssystem32xvidcore.dll

2010-12-02 13:53:59 217088 ----a-w- c:windowssystem32yv12vfw.dll

2010-12-02 13:53:59 205824 ----a-w- c:windowssystem32xvidvfw.dll

2010-12-02 13:53:59 118784 ----a-w- c:windowssystem32ac3acm.acm

2010-12-02 13:53:58 85504 ----a-w- c:windowssystem32ff_vfw.dll

2010-12-02 13:53:57 -------- d-----w- c:program filesK-Lite Codec Pack

2010-12-01 22:34:11 50200 ----a-w- c:windowssystem32perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll

2010-12-01 22:33:58 79896 ----a-w- c:windowssystem32perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll

2010-12-01 22:33:07 -------- d-----w- c:windowssystem32RsFx

2010-12-01 22:30:39 -------- d-----w- c:program filesMicrosoft SQL Server

2010-12-01 22:29:21 -------- d-----w- c:program filesMicrosoft Synchronization Services

2010-12-01 22:28:47 112832 ----a-w- c:docume~1alluse~1applic~1microsoftvcexpress10.01033ResourceCache.dll

2010-12-01 22:27:11 -------- d-----w- c:program filesMicrosoft Visual Studio 10.0

2010-12-01 22:27:11 -------- d-----w- c:program filesMicrosoft Help Viewer

2010-12-01 22:27:11 -------- d-----w- c:program filescommon filesMerge Modules

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:windowssystem32isign32.dll

2010-11-06 00:26:58 916480 ----a-w- c:windowssystem32wininet.dll

2010-11-06 00:26:58 43520 ----a-w- c:windowssystem32licmgr10.dll

2010-11-06 00:26:58 1469440 ----a-w- c:windowssystem32inetcpl.cpl

2010-11-03 12:25:54 385024 ----a-w- c:windowssystem32html.iec

2010-10-28 13:13:22 290048 ----a-w- c:windowssystem32atmfd.dll

2010-10-26 13:25:00 1853312 ----a-w- c:windowssystem32win32k.sys

============= FINISH: 5:39:23.29 ===============

Reactivated Avast Anti Virus and it picked up a DPY.dat file in the TEMP folder. This allowed Malwarebytes to finally run. I've tried to delete this file but it keed reapearing, not sure if it is being created somewhere else. Quick Scan did not report any issue, running a full scan now, so far it has detected 1 infected file, the Avast program keeps poping up:

Object: C:Document~1UserLocals~1TempDPY.dat

Infection: Win32:Malware-gen

Action: Move to chest

Process: C:Windowssystem32mspaint.exe

Does the same thin when running notepad any other program I try to run.

Malwarebytes finished the full scan, found the one infecxted file:

Heuristics.shuriken Item: cbackupprogram filesYahoo!ymsgrie.exe

Attach.zip

ark.zip

Link to post
Share on other sites

:)

Please don't attach the scan results, use Copy/Paste

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.