Jump to content

PLEASE HELP _ Security protection virus


Recommended Posts

I was able to use r kil and malware bytes runs but only for a few seconds

DS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16

Run by Jason at 18:43:11 on 2011-08-26

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.878 [GMT -4:00]

.

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

FW: McAfee Firewall *Enabled*

FW: AVG Firewall *Disabled*

.

============== Running Processes ===============

.

F:\PROGRA~1\AVG\AVG10\avgchsvx.exe

F:\PROGRA~1\AVG\AVG10\avgrsx.exe

F:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

F:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

F:\WINDOWS\system32\ctfmon.exe

svchost.exe

F:\WINDOWS\system32\svchost.exe -k imgsvc

F:\WINDOWS\system32\wscntfy.exe

F:\WINDOWS\system32\rundll32.exe

F:\Program Files\Internet Explorer\iexplore.exe

F:\Program Files\Internet Explorer\iexplore.exe

F:\WINDOWS\explorer.exe

F:\Program Files\Outlook Express\msimn.exe

F:\WINDOWS\system32\taskmgr.exe

F:\Program Files\Internet Explorer\iexplore.exe

F:\Program Files\Internet Explorer\iexplore.exe

F:\Documents and Settings\Jason\Local Settings\Temporary Internet Files\Content.IE5\9WP0RFAL\avira_antivir_personal_en[1].exe

F:\DOCUME~1\Jason\LOCALS~1\Temp\RarSFX18\presetup.exe

F:\DOCUME~1\Jason\LOCALS~1\Temp\RarSFX18\setup.exe

F:\Program Files\Avira\AntiVir Desktop\sched.exe

F:\Program Files\Avira\AntiVir Desktop\avgnt.exe

F:\Program Files\Avira\AntiVir Desktop\avconfig.exe

F:\Program Files\Avira\AntiVir Desktop\avcenter.exe

F:\Program Files\Avira\AntiVir Desktop\avguard.exe

F:\Program Files\Avira\AntiVir Desktop\avshadow.exe

f:\program files\avira\antivir desktop\avscan.exe

F:\WINDOWS\System32\vssvc.exe

F:\WINDOWS\system32\dllhost.exe

F:\WINDOWS\system32\dllhost.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://msn.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

mSearchAssistant = hxxp://start.facemoods.com/?a=w7th1&s={searchTerms}&f=4

uURLSearchHooks: H - No File

mURLSearchHooks: H - No File

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - f:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - f:\program files\avg\avg10\avgssie.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - f:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - f:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - f:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - f:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - f:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - f:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &ESPN: {ae6f2894-af10-4c9c-b16e-1dfc6ff8c0c6} -

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - f:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {00000000-5736-4205-0008-F7ED0776FB27} - No File

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File

EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - f:\progra~1\micros~2\office11\REFIEBAR.DLL

uRun: [swg] "f:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [Logitech Vid] "f:\program files\logitech\logitech vid\vid.exe" -bootmode

uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe

uRun: [security Protection] f:\documents and settings\all users\application data\defender.exe

mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe

mRun: [soundMan] SOUNDMAN.EXE

mRun: [AlcWzrd] ALCWZRD.EXE

mRun: [LogitechQuickCamRibbon] "f:\program files\logitech\logitech webcam software\LWS.exe" /hide

mRun: [QuickTime Task] "f:\program files\quicktime\QTTask.exe" -atboottime

mRun: [AVG_TRAY] f:\program files\avg\avg10\avgtray.exe

mRun: [iTunesHelper] "f:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe ARM] "f:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [avgnt] "f:\program files\avira\antivir desktop\avgnt.exe" /min

StartupFolder: f:\docume~1\jason\startm~1\programs\startup\sonicw~1.lnk - f:\windows\installer\{40624553-811e-400e-b69b-38d8926a66bd}\_A408D8C4509665C152B13E.exe

IE: E&xport to Microsoft Excel - f:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - f:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - f:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\progra~1\micros~2\office11\REFIEBAR.DLL

LSP: mswsock.dll

DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab

DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - hxxps://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?www.viewpoint.com&6&&unknown&unknown&www.viewpoint.com&6&&unknown&unknown&www.viewpoint.com&6&&unknown&unknown&www.viewpoint.com&6&&unknown&unknown&www.viewpoint.com

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} - hxxps://ediagnostics.lexmark.com/serval.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_2/PhotoCenter_ActiveX_Control.cab

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{94EB4D5B-F408-4EBE-AB47-1B85861A17AB} : DhcpNameServer = 192.168.0.1

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - f:\program files\avg\avg10\avgpp.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - f:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - f:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - f:\documents and settings\jason\application data\mozilla\firefox\profiles\gov08q21.default user\

FF - prefs.js: browser.search.selectedEngine - AVG Secure Search

FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4daa4f69&v=6.103.018.001&i=26&tp=ab&iy=&ychte=us&lng=en-US&q=

FF - component: f:\program files\avg\avg10\firefox4\components\avgssff4.dll

FF - component: f:\program files\avg\avg10\firefox4\components\avgssff5.dll

FF - plugin: f:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: f:\program files\canon\zoombrowser ex\program\NPCIG.dll

FF - plugin: f:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll

FF - plugin: f:\program files\mozilla firefox\plugins\NPAdbESD.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - f:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - f:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: D-Link Toolbar: {926a10d2-4ce7-4331-b96f-ca4e22590fac} - %profile%\extensions\{926a10d2-4ce7-4331-b96f-ca4e22590fac}

FF - Ext: Firefox (default): {972ce4c6-7e08-4474-a285-3208198ce6fd} - %profile%\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - f:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - f:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - f:\program files\avg\avg10\Firefox4

.

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;f:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]

R0 Avgrkx86;AVG Anti-Rootkit Driver;f:\windows\system32\drivers\avgrkx86.sys [2011-1-19 32592]

R1 avgio;avgio;f:\program files\avira\antivir desktop\avgio.sys [2011-8-26 11608]

R1 Avgldx86;AVG AVI Loader Driver;f:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;f:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]

R1 Avgtdix;AVG TDI Driver;f:\windows\system32\drivers\avgtdix.sys [2011-2-10 297168]

R1 dk2drv;DK2 WindowsNT Driver;f:\windows\system32\drivers\dk2drv.sys [2008-1-26 49720]

R1 SWIPsec;SonicWALL IPsec Driver;f:\windows\system32\drivers\SWIPsec.sys [2011-8-7 87064]

R1 vcdrom;Virtual CD-ROM Device Driver;f:\windows\system32\drivers\VCdRom.sys [2010-2-2 8576]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;f:\program files\avira\antivir desktop\sched.exe [2011-8-26 136360]

R2 AntiVirService;Avira AntiVir Guard;f:\program files\avira\antivir desktop\avguard.exe [2011-8-26 269480]

R2 avgntflt;avgntflt;f:\windows\system32\drivers\avgntflt.sys [2011-8-26 61960]

R3 AVGIDSDriver;AVGIDSDriver;f:\windows\system32\drivers\AVGIDSDriver.sys [2011-3-30 134480]

R3 AVGIDSFilter;AVGIDSFilter;f:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]

R3 AVGIDSShim;AVGIDSShim;f:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 27216]

R4 MBAMSwissArmy;MBAMSwissArmy;f:\windows\system32\drivers\mbamswissarmy.sys [2011-8-26 41272]

S2 AVGIDSAgent;AVGIDSAgent;f:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]

S2 avgwd;AVG WatchDog;f:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]

S2 gupdate;Google Update Service (gupdate);f:\program files\google\update\GoogleUpdate.exe [2010-5-27 136176]

S2 SWGVCSvc;SonicWALL Global VPN Client Service;f:\program files\sonicwall\sonicwall global vpn client\SWGVCSvc.exe [2009-3-5 227352]

S3 DK2USB;DK2usb Driver;f:\windows\system32\drivers\DK2USB.sys [2008-1-26 18360]

S3 gupdatem;Google Update Service (gupdatem);f:\program files\google\update\GoogleUpdate.exe [2010-5-27 136176]

S3 PSSDK42;PSSDK42;f:\windows\system32\drivers\pssdk42.sys [2011-8-7 38976]

S3 SWVNIC;SonicWALL Virtual Miniport;f:\windows\system32\drivers\SWVNIC.sys [2009-3-4 21016]

.

=============== Created Last 30 ================

.

2011-08-26 22:05:37 -------- d-----w- f:\documents and settings\jason\application data\Avira

2011-08-26 22:05:03 -------- d-----w- f:\windows\system32\NtmsData

2011-08-26 22:01:23 61960 ----a-w- f:\windows\system32\drivers\avgntflt.sys

2011-08-26 22:01:23 -------- d-----w- f:\program files\Avira

2011-08-26 22:01:23 -------- d-----w- f:\documents and settings\all users\application data\Avira

2011-08-26 21:47:20 41272 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys

2011-08-26 21:47:14 22712 ----a-w- f:\windows\system32\drivers\mbam.sys

2011-08-26 19:46:19 862208 ----a-w- f:\documents and settings\all users\application data\defender.exe

2011-08-08 01:46:49 -------- d-----w- f:\documents and settings\jason\local settings\application data\VMware

2011-08-08 01:46:08 -------- d-----w- f:\program files\VMware

2011-08-07 15:54:14 -------- d-----w- f:\documents and settings\jason\application data\SonicWALL

2011-08-07 15:53:11 87064 ----a-w- f:\windows\system32\drivers\SWIPsec.sys

2011-08-07 15:52:26 -------- d-----w- f:\program files\common files\Deterministic Networks

2011-08-07 15:52:25 -------- d-----w- f:\program files\SonicWALL

2011-08-07 14:42:26 -------- d--h--w- F:\$AVG

2011-08-07 13:32:24 38976 ----a-w- f:\windows\system32\drivers\pssdk42.sys

2011-08-07 13:31:54 -------- d-----w- f:\program files\Tenable

2011-08-01 20:45:29 -------- d-----w- f:\program files\Wireshark

2011-08-01 20:39:36 -------- d-----w- f:\documents and settings\jason\application data\Wireshark

.

==================== Find3M ====================

.

2011-07-26 19:21:15 0 ----a-w- f:\documents and settings\all users\application data\qmwr.exe

2011-07-26 19:21:15 0 ----a-w- f:\documents and settings\all users\application data\onag.exe

2011-07-26 19:21:15 0 ----a-w- f:\documents and settings\all users\application data\ieef.exe

2011-07-26 19:21:15 0 ----a-w- f:\documents and settings\all users\application data\btbm.exe

2011-07-17 18:51:34 205 ----a-w- f:\windows\system32\lsprst7.dll

2011-07-17 18:51:33 1025 ----a-w- f:\windows\system32\sysprs7.dll

2011-06-02 14:02:05 1858944 ----a-w- f:\windows\system32\win32k.sys

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: ST316002 rev. -> Harddisk1\DR2 -> \Device\00000086

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys USBSTOR.SYS hal.dll usbhub.sys USBPORT.SYS usbehci.sys

1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk1\DR2[0x8A5F0AB8]

3 CLASSPNP[0xF7657FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000085[0x8A8BAEA0]

5 USBSTOR[0xF781F706] -> nt!IofCallDriver[0x804E13B9] -> \Device\USBPDO-7[0x8A9A0698]

7 usbhub[0xBA2E6596] -> nt!IofCallDriver[0x804E13B9] -> \Device\USBPDO-4[0x8A06E030]

kernel: MBR read successfully

_asm { CLI ; XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV SI, SP; PUSH AX; POP ES; PUSH AX; POP DS; STI ; CLD ; MOV DI, 0x600; MOV CX, 0x100; REPNZ MOVSW ; JMP FAR 0x0:0x61d; }

user != kernel MBR !!!

error: Read The parameter is incorrect.

.

============= FINISH: 18:44:44.31 ===============

attach.zip

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

I notice that you are using more than one antivirus program (AVG and Antivir). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

-screen317

Link to post
Share on other sites

  • 3 weeks later...
  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.