Jump to content

Recommended Posts

Hello there

I normally just run system restores to fix any Malware problems but my girlfriend recently got a malware on her laptop and Im finding it pretty difficult to deal with. I managed to restore the system which allowed me internet access again. But i just cannot get rid of this thing. Ive attempted to run Malware bytes in safe mode. I have installed and run Malwarebytes in safe mode. I have used Rkill to attempt to dissable the malware and then run MWB. Whatever it is its good. Whenever i reinstall MWB and run a scan it closes. When i try to reopen MWB it says Windows cannot acces the specified device, path, or file. You may not have the appropriate permissions to access the item. When i try to open as administrator same problem. I stumbled across your "I'm infected...what now" post and i still was unable to complete all of the steps. I was able to run the defrogger.exe. I was also able to run the DDS and here are my logs for that. I was unable to run the GMER Rootkit scanner when you uncheck the boxes. It works the first time. When i try and go back to relaunch the random exe i get the same message as trying to reopen MWB. "windows cannot access the specified device .... So any help would be greatly appreciated thanks. I also tried to install AVG and run a scan. It will run but i don't come up with any erros. But AVG keeps saying im not completely protected and pressing fix won't work.

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by arden at 20:36:41.39 on Tue 05/10/2011

Internet Explorer: 8.0.7600.16385

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1790.894 [GMT -7:00]

.

AV: McAfee VirusScan *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: McAfee VirusScan *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

FW: McAfee Personal Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

.

============== Running Processes ===============

.

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe

C:\windows\system32\wininit.exe

C:\windows\system32\lsm.exe

"\\.\globalroot\Device\svchost.exe\svchost.exe"

C:\windows\system32\svchost.exe -k DcomLaunch

C:\windows\system32\svchost.exe -k RPCSS

C:\windows\system32\atiesrxx.exe

C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\windows\system32\svchost.exe -k netsvcs

C:\windows\system32\svchost.exe -k LocalService

C:\windows\system32\atieclxx.exe

C:\windows\system32\svchost.exe -k NetworkService

C:\windows\System32\spoolsv.exe

C:\windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG10\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe

C:\windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\TODDSrv.exe

C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe

C:\windows\system32\SearchIndexer.exe

C:\windows\system32\SearchProtocolHost.exe

C:\windows\system32\taskhost.exe

C:\windows\system32\Dwm.exe

C:\windows\Explorer.EXE

C:\Windows\system32\WUDFHost.exe

C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Synaptics\SynTP\SynTPHelper.exe

C:\Program Files\TOSHIBA\Utilities\KeNotify.exe

C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe

C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe

C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe

C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe

C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE

C:\Program Files\AVG\AVG10\avgnsx.exe

C:\Program Files\AVG\AVG10\avgemcx.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\windows\system32\conhost.exe

C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\AVG\AVG10\avgtray.exe

C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\windows\System32\svchost.exe -k LocalServicePeerNet

C:\windows\system32\taskeng.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\windows\system32\wbem\wmiprvse.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe

C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe

C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\windows\System32\svchost.exe -k secsvcs

C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe

C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe

C:\Program Files\Logitech\LWS\LU\LULnchr.exe

C:\Program Files\Logitech\LWS\LU\LogitechUpdate.exe

C:\windows\system32\taskhost.exe

C:\Users\arden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N0EJ9N55\Defogger[1].exe

C:\windows\system32\conhost.exe

C:\PROGRA~1\AVG\AVG10\avgrsx.exe

C:\Program Files\AVG\AVG10\avgcsrvx.exe

C:\windows\system32\SearchFilterHost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\windows\system32\Macromed\Flash\FlashUtil10p_ActiveX.exe

C:\windows\system32\taskeng.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\windows\system32\DllHost.exe

C:\windows\system32\wbem\wmiprvse.exe

C:\Program Files\Apple Software Update\SoftwareUpdate.exe

C:\windows\system32\DllHost.exe

C:\windows\system32\DllHost.exe

C:\Users\arden\Desktop\dds.scr

C:\windows\system32\conhost.exe

.

============== Pseudo HJT Report ===============

.

uSearch Page = hxxp://www.google.com

uStart Page = hxxp://www.yahoo.com/

uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA

mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA

mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll

uRun: [MyTOSHIBA] "c:\program files\toshiba\my toshiba\MyToshiba.exe" /AUTO

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

uRun: [Advanced SystemCare 4] "c:\program files\iobit\advanced systemcare 4\ASCTray.exe"

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe

mRun: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

mRun: [sVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL

mRun: [HWSetup] "c:\program files\toshiba\utilities\HWSetup.exe" hwSetUP

mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe

mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE

mRun: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe

mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe

mRun: [ToshibaServiceStation] "c:\program files\toshiba\toshiba service station\ToshibaServiceStation.exe" /hide:60

mRun: [TosSENotify] c:\program files\toshiba\toshiba hdd ssd alert\TosWaitSrv.exe

mRun: [NortonOnlineBackupReminder] "c:\program files\toshiba\toshiba online backup\activation\TobuActivation.exe" UNATTENDED

mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon

mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hide

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

mASetup: {01250B8F-D947-4F8A-9408-FE8E3EE2EC92} - c:\program files\toshiba\my toshiba\MyToshiba.exe /SETUP

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]

R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\iobit\advanced systemcare 4\ASCService.exe [2011-5-10 352656]

R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-11-8 176128]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]

R2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\toshiba\configfree\CFIWmxSvcs.exe [2009-8-10 185712]

R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2009-3-10 46448]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134480]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 21968]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-11-8 171520]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-11-8 167936]

R3 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2009-11-8 54136]

R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\toshiba\toshiba hdd ssd alert\TosSmartSrv.exe [2009-9-17 111960]

S2 0053131305070575mcinstcleanup;McAfee Application Installer Cleanup (0053131305070575);c:\users\arden\appdata\local\temp\005313~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\users\arden\appdata\local\temp\005313~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]

S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-20 135664]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-20 135664]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-13 1343400]

.

=============== Created Last 30 ================

.

2011-05-11 03:23:41 -------- d-----w- c:\program files\Trend Micro

2011-05-11 01:34:34 442880 ----a-w- c:\windows\system32\XpsPrint.dll

2011-05-11 01:34:34 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll

2011-05-11 01:34:24 161792 ----a-w- c:\windows\system32\d3d10_1.dll

2011-05-11 01:34:07 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys

2011-05-11 01:32:46 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys

2011-05-11 01:22:23 -------- d-----w- c:\progra~2\IObit

2011-05-11 01:08:40 -------- d-----w- c:\users\arden\appdata\roaming\Malwarebytes

2011-05-11 01:08:35 -------- d-----w- c:\progra~2\Malwarebytes

2011-05-11 00:36:14 -------- d-----w- c:\windows\system32\drivers\AVG

2011-05-10 23:49:56 -------- d-----w- c:\users\arden\appdata\roaming\IObit

2011-05-10 23:49:55 -------- d-----w- c:\program files\IObit

2011-05-10 22:55:05 -------- d-----w- c:\users\arden\appdata\roaming\FixCleaner

2011-05-10 22:55:00 -------- d-----w- c:\program files\FixCleaner

2011-05-10 21:57:01 -------- d-----w- c:\users\arden\appdata\local\ElevatedDiagnostics

2011-05-10 19:56:36 -------- d-----w- c:\users\arden\appdata\roaming\AVG10

2011-05-10 19:52:53 -------- d-----w- c:\progra~2\AVG10

2011-05-10 19:51:41 -------- d-----w- c:\program files\AVG

2011-05-10 17:48:20 -------- d--h--w- c:\progra~2\Common Files

2011-05-10 03:12:57 -------- d-----w- c:\users\arden\appdata\roaming\Systweak

2011-05-10 01:00:46 -------- d-----w- c:\progra~2\MFAData

2011-04-15 04:28:30 134480 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys

.

==================== Find3M ====================

.

2011-05-11 01:33:44 276992 ----a-w- c:\windows\system32\wcncsvc.dll

2011-05-11 01:33:21 981504 ----a-w- c:\windows\system32\wininet.dll

2011-05-11 01:33:21 350720 ----a-w- c:\windows\system32\winhttp.dll

2011-05-11 01:33:20 80384 ----a-w- c:\windows\system32\davclnt.dll

2011-05-11 01:33:20 73728 ----a-w- c:\windows\system32\wscsvc.dll

2011-05-11 01:33:20 51200 ----a-w- c:\windows\system32\wscapi.dll

2011-05-11 01:33:20 204800 ----a-w- c:\windows\system32\WebClnt.dll

2011-05-11 01:33:20 204288 ----a-w- c:\windows\system32\upnp.dll

2011-05-11 01:33:20 14336 ----a-w- c:\windows\system32\slwga.dll

2011-05-11 01:33:20 1389568 ----a-w- c:\windows\system32\msxml6.dll

2011-05-11 01:33:20 1236992 ----a-w- c:\windows\system32\msxml3.dll

2011-05-11 01:33:01 541184 ----a-w- c:\windows\system32\kerberos.dll

.

============= FINISH: 20:37:35.88 ===============

PS That hijack this program also will not work.

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.