Windows Security Virus

Jintan

Administrator
Hero Member

Posts: 3883

Re: Windows Security Virus

« Reply #90 on: May 26, 2011, 08:21:27 PM »

Yes please.


	Logged

cdruet

Jr. Member

Posts: 72

Re: Windows Security Virus

« Reply #91 on: May 26, 2011, 09:07:25 PM »

Combofix log:

ComboFix 11-05-26.01 - David & Cindy 05/26/2011 23:45:34.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.113 [GMT -3:00]
Running from: c:\documents and settings\David & Cindy\Desktop\larry.scr
Command switches used :: /S
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-27 to 2011-05-27 )))))))))))))))))))))))))))))))
.
.
2011-05-26 12:12 . 2011-05-26 12:12   --------   d-----w-   c:\program files\ESET
2011-05-26 02:06 . 2011-05-26 02:07   --------   d-----w-   c:\documents and settings\David & Cindy\Local Settings\Application Data\AskToolbar
2011-05-25 11:32 . 2011-05-25 11:32   --------   dc----w-   C:\456out
2011-05-23 13:04 . 2011-05-23 13:04   --------   d-----w-   c:\program files\Common Files\Java
2011-05-23 12:59 . 2011-05-23 12:56   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-05-23 12:59 . 2011-05-23 12:56   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-05-22 22:37 . 2010-11-09 17:56   27984   ----a-w-   c:\windows\system32\sbbd.exe
2011-05-22 22:37 . 2010-11-09 17:56   98392   ----a-w-   c:\windows\system32\drivers\SBREDrv.sys
2011-05-22 17:09 . 2011-05-10 11:59   19544   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2011-05-22 17:09 . 2011-05-10 12:03   307928   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2011-05-22 17:09 . 2011-05-10 12:02   49240   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2011-05-22 17:09 . 2011-05-10 11:59   25432   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2011-05-22 17:08 . 2011-05-10 12:03   441176   ----a-w-   c:\windows\system32\drivers\aswSnx.sys
2011-05-22 17:08 . 2011-05-10 12:02   102616   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2011-05-22 17:08 . 2011-05-10 12:02   96344   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2011-05-22 17:08 . 2011-05-10 11:59   30808   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2011-05-22 17:07 . 2011-05-10 12:10   40112   ----a-w-   c:\windows\avastSS.scr
2011-05-22 17:07 . 2011-05-10 12:10   199304   ----a-w-   c:\windows\system32\aswBoot.exe
2011-05-22 16:16 . 2010-12-20 21:09   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-21 23:21 . 2011-05-21 23:21   --------   d-----w-   C:\found.000
2011-05-19 12:11 . 2011-05-19 12:11   --------   d-----w-   c:\documents and settings\David & Cindy\Application Data\BabylonToolbar
2011-05-19 02:54 . 2011-05-19 02:54   --------   d-----w-   c:\documents and settings\Shawn.MYCOMPUTER\Application Data\MSNInstaller
2011-05-17 23:24 . 2011-05-17 23:24   --------   d-----w-   c:\documents and settings\Shawn.MYCOMPUTER\Application Data\BabylonToolbar
2011-05-17 23:12 . 2011-05-19 02:46   17480   ----a-w-   c:\windows\system32\drivers\hitmanpro35.sys
2011-05-17 23:10 . 2011-05-17 23:26   --------   dc----w-   c:\documents and settings\All Users\Application Data\Hitman Pro
2011-05-17 23:10 . 2011-05-17 23:10   --------   d-----w-   c:\program files\Hitman Pro 3.5
2011-05-17 22:02 . 2011-05-17 22:09   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-05-17 21:57 . 2011-05-17 22:02   --------   d-----w-   c:\documents and settings\Shawn.MYCOMPUTER\Local Settings\Application Data\Temp
2011-05-17 21:57 . 2011-05-18 22:33   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-05-17 21:55 . 2011-05-22 17:07   --------   dc----w-   c:\documents and settings\All Users\Application Data\AVAST Software
2011-05-17 21:55 . 2011-05-22 17:07   --------   d-----w-   c:\program files\AVAST Software
2011-05-17 21:26 . 2011-05-17 21:40   --------   d-----w-   c:\documents and settings\Shawn.MYCOMPUTER\Application Data\Sammsoft
2011-05-17 21:25 . 2011-05-26 02:00   --------   dc----w-   C:\Firefox
2011-05-13 23:48 . 2011-05-13 23:48   --------   dc----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-05-11 15:45 . 2011-05-11 23:12   --------   dc----w-   c:\documents and settings\All Users\Application Data\STOPzilla!
2011-05-11 11:53 . 2010-10-19 20:51   222080   ------w-   c:\windows\system32\MpSigStub.exe
2011-05-10 23:23 . 2011-05-10 23:23   --------   d-----w-   c:\documents and settings\Shawn.MYCOMPUTER\Application Data\SUPERAntiSpyware.com
2011-05-10 20:43 . 2011-05-10 20:43   --------   d-----w-   c:\documents and settings\Shawn.MYCOMPUTER\Application Data\Malwarebytes
2011-05-10 20:39 . 2011-05-10 20:39   --------   d-----w-   c:\documents and settings\Shawn.MYCOMPUTER\Application Data\AVG
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2005-01-14 04:31   692736   ----a-w-   c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-04 12:00   420864   ----a-w-   c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 12:00   1857920   ----a-w-   c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10   122512   ----a-w-   c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"SoundMan"="SOUNDMAN.EXE" [2003-04-24 54784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\MSN Messenger\\msgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/22/2011 2:08 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/22/2011 2:09 PM 307928]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/22/2011 7:37 PM 98392]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/22/2011 2:09 PM 19544]
S3 JL2005;JL2005A Toy Camera;c:\windows\system32\drivers\toywdm.sys [6/4/2004 2:21 PM 70888]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 15:34]
.
2011-05-26 c:\windows\Tasks\User_Feed_Synchronization-{2F7CAAB8-DE23-4982-B96B-35479016B664}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 07:31]
.
.
------- Supplementary Scan -------
.
mSearch Bar =
uInternet Settings,ProxyOverride = *.local
IE: &eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
IE: &MSN Search - c:\program files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Compare Prices with &Dealio - c:\program files\Dealio\res\DealioSearch.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: {{6FDD5236-C9F0-49ef-935D-385F5E21991A}
Trusted Zone: globalepanel.com\www3
Trusted Zone: microsoft.com\office
TCP: DhcpNameServer = 192.168.2.1 192.168.2.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {483912CF-8995-4434-AD61-6163756E05DF} - hxxp://download.livemath.com/activex/AXTNS.ocx
DPF: {EE884C7D-21A0-49EA-B6F2-61ACF4E226F6} - hxxp://workspace.office.live.com/Misc/Microsoft.OfficeLive.Workspace.RichUpload.cab
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-26 23:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2324)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-05-27 00:05:24
ComboFix-quarantined-files.txt 2011-05-27 03:05
ComboFix2.txt 2011-05-25 12:00
ComboFix3.txt 2011-05-16 02:39
ComboFix4.txt 2011-05-15 21:20
.
Pre-Run: 54,222,036,992 bytes free
Post-Run: 54,233,731,072 bytes free
.
Current=4 Default=4 Failed=2 LastKnownGood=3 Sets=1,2,3,4
- - End Of File - - 111A6DD00C82B92EBE4730FF0B0408D8


	Logged

Jintan

Administrator
Hero Member

Posts: 3883

Re: Windows Security Virus

« Reply #92 on: May 26, 2011, 09:22:20 PM »

R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/22/2011 7:37 PM 98392]

Is a Sunbelt program installed/running there?

Also, let's check a different scan. Run and post a scan from HijackThis. If you don't already have it installed, you can download the installer from here.

Looking clean, by the way.


	Logged

cdruet

Jr. Member

Posts: 72

Re: Windows Security Virus

« Reply #93 on: May 27, 2011, 05:48:42 AM »

What would a Sunbelt program consist of? Also when I downloaded Hijack this from the link you sent it said it was corrupted so I downloaded it from cnet. Here is the log. Also when I do a boot scan with Avast it says there is an infection but when I try to Move to Chest or Delete it says there is Not enough Quota. Does this mean anyting?

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:45:59 AM, on 5/27/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/default.aspx?st=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.00.0001.1203\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Program Files\Dealio\res\DealioSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www3.globalepanel.com
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - http://site.ebrary.com.proxy.hil.unb.ca/lib/unblib/support/plugins/ebraryRdr.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} - http://www.worldwinner.com/games/v46/scrabblecubes/scrabblecubes.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - http://components.metastream.com/MTSInstallers/MetaStream3.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - http://www.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {483912CF-8995-4434-AD61-6163756E05DF} (AXTNS Control) - http://download.livemath.com/activex/AXTNS.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-ca/4,0,0,90/mcinsctl.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} - http://www.worldwinner.com/games/v63/bjattack/bja.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - http://fb.familylink.com/we_are_related/stream/core/lib/AurigmaImageUploader/ImageUploader5.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} - http://www.amiuptodate.com/vsc/bin/1,0,0,7/McUpdatePortal.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124317274718
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - http://www.worldwinner.com/games/v57/wof/wof.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} - http://www.worldwinner.com/games/v41/hangman/hangman.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} - http://www.live365.com/players/play365.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} - http://www.candystand.com/assets/activex/virtools/CacheManager.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {EB6D7E70-AAA9-40D9-BA05-F214089F2275} - http://www.clickteam.com/vitalize3/vitalize.cab
O16 - DPF: {EE884C7D-21A0-49EA-B6F2-61ACF4E226F6} - http://workspace.office.live.com/Misc/Microsoft.OfficeLive.Workspace.RichUpload.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4635/mcfscan.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe

--
End of file - 10724 bytes


	Logged

Jintan

Administrator
Hero Member

Posts: 3883

Re: Windows Security Virus

« Reply #94 on: May 27, 2011, 05:34:36 PM »

The HijackThis installer is okay - what indicated the file was corrupt?

The log looks fine. That Avast error suggests too much memory is in use by running processes, but this log list doesn't seem to suggest that. Or too little Virtual Memory (parts of the hard drive that serve as an extension of RAM, sorta).

Go to Start - Settings - Control Panel. Click the System icon, Advanced tab, Performance - Settings Button. Advanced tab, Virtual Memory Change button. Is it set to Custom, or System managed, and what sizes are selected there?


	Logged

Jintan

Administrator
Hero Member

Posts: 3883

Re: Windows Security Virus

« Reply #95 on: May 27, 2011, 05:36:12 PM »

Forgot - Sunbelt.

Go to Start > Run and type

cmd

and OK. At the prompt type (or copy\paste) the below commands and hit "Enter" after each line:

sc config SBRE start= disabled
sc stop SBRE
sc delete SBRE

Type Exit and press Enter to close the command window.

You may get errors - the important step though is the first, start= disabled one.


	Logged

cdruet

Jr. Member

Posts: 72

Re: Windows Security Virus

« Reply #96 on: May 27, 2011, 07:00:42 PM »

Here is the log from the commands:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\David & Cindy>sc config SBRE start= disabled
[SC] ChangeServiceConfig SUCCESS

C:\Documents and Settings\David & Cindy>sc stop SBRE

SERVICE_NAME: SBRE
TYPE : 1 KERNEL_DRIVER
STATE : 1 STOPPED
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

C:\Documents and Settings\David & Cindy>sc delete SBRE
[SC] DeleteService SUCCESS

C:\Documents and Settings\David & Cindy>

The Paging file allocation is 1024; suggested 379

When I tried to run the HiJack This file I got the error "The compressed (zipped) file is invalid or corrupted." Then I tried to just run it instead of saving it to the desktop and I got the same thing so that is when I downloaded it from cnet.


	Logged

Jintan

Administrator
Hero Member

Posts: 3883

Re: Windows Security Virus

« Reply #97 on: May 27, 2011, 08:20:32 PM »

The Paging File was set to letting the system control it, or manually?

For the command results, the step to change it to not startup worked. So next reboot it can then be removed.

For the compressed files do the following.

Download System Repair Engineer. Use the Local Download button to download sreng2.zip.

Extract (unzip) it to it's own folder on your Desktop, then double click SREngLdr.exe to run it.

When the display opens, click the "System Repair" icon in the left hand column.

Under the first "File Association" tab it will have already placed checkmarks in the boxes next to file associations it sees as incorrect. Don't make any changes, and just click Repair. The display will flicker briefly, and then the results should reflect all are "Normal".

You will see many other options to use this tool for, but unless you truly know what they are indicating and what changes System Repair Engineer might make it is really not something you should try in any way (and a reason why I tend to avoid providing this repair tool).


	Logged

cdruet

Jr. Member

Posts: 72

Re: Windows Security Virus

« Reply #98 on: May 28, 2011, 08:04:22 AM »

The Paging File says it is Custom size, not System Managed.

When I downloaded and unzipped the System Engineer file it would not work so instead of saving it to the desktop, when it asked whether to open or save, I said Open and I did get into where you said I would with the System Repair Icon on the left. However, before I could click on the box, the following warning came up in the bottom right hand corner of the desktop:

Warning! System Repair Engineer remind you that the following functions have modified to abnormal values
by unknown reasons:

Entrypoint Error: ChangeServiceConfigA      Unknown Dest. address is: 0x003B0B09
Entrypoint Error: ChangeServiceConfig2A      Unknown Dest. address is: 0x003B0C11
Entrypoint Error: ChangeServiceConfigW      Unknown Dest. address is: 0x003B0A0D
Entrypoint Error: ChangeServiceConfig2W      Unknown Dest. address is: 0x003B0E15
Entrypoint Error: CreateServiceA         Unknown Dest. address is: 0x003B01FD
Entrypoint Error: CreateServiceW         Unknown Dest. address is: 0x003B0401
Entrypoint Error: DeleteService         Unknown Dest. address is: 0x003B0605
Entrypoint Error: SetWindowsHookExA         Unknown Dest. address is: 0x003A0605
Entrypoint Error: SetWindowsHookExW      Unknown Dest. address is: 0x003A0809
Entrypoint Error: UnhookWindowsHookEx      Unknown Dest. address is: 0x003A0A0D

They are all listed as Dangerous Level High and when you go into Details
there is another column "Hooked by Module" which gives a Destination Address
for each of them which I have typed in above. It did give the option to Fix these however where you said this was a dangerous program I wanted to check with you first. I also did not go any further with the System Repair Icon (I didn't even open it). What do I do?


	Logged

Jintan

Administrator
Hero Member

Posts: 3883

Re: Windows Security Virus

« Reply #99 on: May 28, 2011, 02:40:39 PM »

Gotta still be some rootkit activity there then.

Open Gmer again. Once it has completed it's opening scan, this time just right click in the white space in the display and select Options - Only non MS files. Then click Scan and allow Gmer to run a different scan. Once that completes click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.


	Logged

cdruet

Jr. Member

Posts: 72

Re: Windows Security Virus

« Reply #100 on: May 28, 2011, 03:40:02 PM »

GMER file # 1 (I have to post it in 2 posts because of the size)

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-28 18:33:44
Windows 5.1.2600 Service Pack 3
Running: mg1nj0cj.exe; Driver: C:\DOCUME~1\DAVID&~1\LOCALS~1\Temp\axroiuog.sys

---- Modules - GMER 1.0.15 ----

Module \SystemRoot\system32\DRIVERS\ialmnt5.sys (Intel Graphics Miniport Driver/Intel Corporation) F8CCE000-F8D75000 (684032 bytes)
Module \SystemRoot\system32\DRIVERS\USR_BSC2.sys (HSF_HWB2 WDM driver/Conexant Systems, Inc.) F8C63000-F8C96000 (208896 bytes)
Module \SystemRoot\system32\DRIVERS\USR_MDM.sys (HSF_DP driver/Conexant Systems, Inc.) F8B41000-F8C40000 (1044480 bytes)
Module \SystemRoot\system32\DRIVERS\HSF_USR.sys (HSF_CNXT driver/Conexant Systems, Inc.) F8A99000-F8B41000 (688128 bytes)
Module \SystemRoot\system32\DRIVERS\e100b325.sys (NDIS 5.1 driver/Intel Corporation) F8A76000-F8A99000 (143360 bytes)
Module \SystemRoot\System32\Drivers\GEARAspiWDM.sys (CD DVD Filter/GEAR Software Inc.) F9506000-F9510000 (40960 bytes)
Module \SystemRoot\system32\drivers\ALCXWDM.SYS (Realtek AC'97 Audio Driver (WDM)/Realtek Semiconductor Corp.) F89B5000-F8A62000 (708608 bytes)
Module \SystemRoot\system32\DRIVERS\ptilink.sys (Parallel Technologies DirectParallel IO Library/Parallel Technologies, Inc.) F9696000-F969B000 (20480 bytes)
Module \SystemRoot\System32\Drivers\aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) F93E6000-F93F0000 (40960 bytes)
Module \SystemRoot\System32\Drivers\aswRdr.SYS (avast! TDI RDR Driver/AVAST Software) F95CE000-F95D3000 (20480 bytes)
Module \SystemRoot\System32\Drivers\BANTExt.sys F9983000-F9984000 (4096 bytes)
Module \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) F049B000-F04E5000 (303104 bytes)
Module \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) F042B000-F049B000 (458752 bytes)
Module \SystemRoot\System32\Drivers\Aavmker4.SYS (avast! Base Kernel-Mode Device Driver for Windows NT/2000/XP/AVAST Software) F95EE000-F95F4000 (24576 bytes)
Module \SystemRoot\System32\ialmdnt5.dll (Controller Hub for Intel Graphics Driver/Intel Corporation) BF020000-BF03F000 (126976 bytes)
Module \SystemRoot\System32\ialmrnt5.dll (Controller Hub for Intel Graphics Driver/Intel Corporation) BF012000-BF020000 (57344 bytes)
Module \SystemRoot\System32\ialmdev5.DLL (Component GHAL Driver/Intel Corporation) BF03F000-BF05E000 (126976 bytes)
Module \SystemRoot\System32\ialmdd5.DLL (DirectDraw(R) Driver for Intel(R) Graphics Technology/Intel Corporation) BF05E000-BF119000 (765952 bytes)
Module \SystemRoot\System32\ATMFD.DLL (Windows NT OpenType/Type 1 Font Driver/Adobe Systems Incorporated) BF119000-BF160000 (290816 bytes)
Module \SystemRoot\System32\Drivers\aswFsBlk.SYS (avast! File System Access Blocking Driver/AVAST Software) F068A000-F068D000 (12288 bytes)
Module \SystemRoot\System32\Drivers\aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software) F0130000-F0147000 (94208 bytes)
Module \SystemRoot\system32\DRIVERS\mdmxsdk.sys (Diagnostic Interface DRIVER/Conexant) EFF1B000-EFF1E000 (12288 bytes)
Module \??\C:\DOCUME~1\DAVID&~1\LOCALS~1\Temp\axroiuog.sys (GMER) EF4A0000-EF4B9000 (102400 bytes)

---- Processes - GMER 1.0.15 ----

Process C:\WINDOWS\System32\alg.exe (Application Layer Gateway Service/Microsoft Corporation) 348
Library C:\Program Files\AVAST Software\Avast\snxhk.dll (avast! snxhk/AVAST Software) 0x64D00000
Library C:\WINDOWS\System32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 576
Library C:\Program Files\AVAST Software\Avast\snxhk.dll (avast! snxhk/AVAST Software) 0x64D00000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\Program Files\Bonjour\mDNSResponder.exe (Bonjour Service/Apple Inc.) 616
Library C:\Program Files\Bonjour\mDNSResponder.exe (Bonjour Service/Apple Inc.) 0x00400000
Library C:\Program Files\AVAST Software\Avast\snxhk.dll (avast! snxhk/AVAST Software) 0x64D00000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\csrss.exe (Client Server Runtime Process/Microsoft Corporation) 640
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\winlogon.exe (Windows NT Logon Application/Microsoft Corporation) 664
Library C:\Program Files\AVAST Software\Avast\snxhk.dll (avast! snxhk/AVAST Software) 0x64D00000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\services.exe (Services and Controller app/Microsoft Corporation) 708
Library C:\Program Files\AVAST Software\Avast\snxhk.dll (avast! snxhk/AVAST Software) 0x64D00000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\lsass.exe (LSA Shell (Export Version)/Microsoft Corporation) 720
Library C:\Program Files\AVAST Software\Avast\snxhk.dll (avast! snxhk/AVAST Software) 0x64D00000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\Program Files\Java\jre6\bin\jqs.exe (Java(TM) Quick Starter Service/Sun Microsystems, Inc.) 784
Library C:\Program Files\Java\jre6\bin\jqs.exe (Java(TM) Quick Starter Service/Sun Microsystems, Inc.) 0x00400000
Library C:\Program Files\AVAST Software\Avast\snxhk.dll (avast! snxhk/AVAST Software) 0x64D00000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 888
Library C:\Program Files\AVAST Software\Avast\snxhk.dll (avast! snxhk/AVAST Software) 0x64D00000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 956
Library C:\Program Files\AVAST Software\Avast\snxhk.dll (avast! snxhk/AVAST Software) 0x64D00000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000
Library C:\Program Files\Bonjour\mdnsNSP.dll (Bonjour Namespace Provider/Apple Inc.) 0x64000000

Process C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 1076
Library C:\Program Files\AVAST Software\Avast\snxhk.dll (avast! snxhk/AVAST Software) 0x64D00000
Library C:\WINDOWS\System32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000
Library C:\Program Files\Bonjour\mdnsNSP.dll (Bonjour Namespace Provider/Apple Inc.) 0x64000000

Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 1148
Library C:\Program Files\AVAST Software\Avast\snxhk.dll (avast! snxhk/AVAST Software) 0x64D00000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 1176
Library C:\Program Files\AVAST Software\Avast\snxhk.dll (avast! snxhk/AVAST Software) 0x64D00000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\Documents and Settings\David & Cindy\Desktop\mg1nj0cj.exe 1260
Library C:\Documents and Settings\David & Cindy\Desktop\mg1nj0cj.exe 0x00400000
Library C:\Program Files\AVAST Software\Avast\snxhk.dll (avast! snxhk/AVAST Software) 0x64D00000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 1320
Library C:\Program Files\AVAST Software\Avast\snxhk.dll (avast! snxhk/AVAST Software) 0x64D00000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\Program Files\AVAST Software\Avast\AvastSvc.exe (avast! Service/AVAST Software) 1432
Library C:\Program Files\AVAST Software\Avast\AvastSvc.exe (avast! Service/AVAST Software) 0x00400000
Library C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) 0x64C80000
Library C:\Program Files\AVAST Software\Avast\aswCmnOS.dll (Antivirus HW dependent library/AVAST Software) 0x64C00000
Library C:\Program Files\AVAST Software\Avast\aswCmnIS.dll (Antivirus independent functions/AVAST Software) 0x64C40000
Library C:\Program Files\AVAST Software\Avast\ashBase.dll (Basic Functionality Module/AVAST Software) 0x64500000
Library C:\Program Files\AVAST Software\Avast\aswEngLdr.dll (Antivirus engine loader/AVAST Software) 0x64BC0000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000
Library C:\Program Files\AVAST Software\Avast\1033\Base.dll (avast! English Basic Module/AVAST Software) 0x66080000
Library C:\Program Files\AVAST Software\Avast\ashServ.dll (avast! antivirus service/AVAST Software) 0x65080000
Library C:\Program Files\AVAST Software\Avast\aswAux.dll (avast! Auxiliary Library/AVAST Software) 0x64580000
Library C:\Program Files\AVAST Software\Avast\ashTask.dll (Task Handling Module/AVAST Software) 0x64800000
Library C:\Program Files\AVAST Software\Avast\ashTaskEx.dll (avast! TaskEx library/AVAST Software) 0x647C0000
Library C:\Program Files\AVAST Software\Avast\aswLog.dll (avast! Log library/AVAST Software) 0x64700000
Library C:\Program Files\AVAST Software\Avast\aswSqLt.dll (avast! SQLite library/AVAST Software) 0x64840000
Library C:\Program Files\AVAST Software\Avast\aswProperty.dll (avast! Property Storage library/AVAST Software) 0x64740000
Library C:\Program Files\AVAST Software\Avast\Aavm4h.dll (avast! Asynchronous Virus Monitor (AAVM)/AVAST Software) 0x65000000
Library C:\Program Files\AVAST Software\Avast\AavmRpch.dll (avast! AAVM Remote Procedure Call Library/AVAST Software) 0x65400000
Library C:\Program Files\AVAST Software\Avast\aswIdle.dll (avast! Idle Hook Library/AVAST Software) 0x64A00000
Library C:\Program Files\AVAST Software\Avast\aswDld.dll (aswDld Dynamic Link Library/AVAST Software) 0x646C0000
Library C:\Program Files\AVAST Software\Avast\AhResBhv.dll (avast! Behavior Shield AAVM Provider Library/AVAST Software) 0x65920000
Library C:\Program Files\AVAST Software\Avast\AhResJs.dll (avast! Script Blocking AAVM Provider Library/AVAST Software) 0x65860000
Library C:\Program Files\AVAST Software\Avast\AhResMai.dll (avast! e-Mail Scanner AAVM Provider Library/AVAST Software) 0x65840000
Library C:\Program Files\AVAST Software\Avast\AhResMes.dll (avast! Messenger scanner AAVM Provider Library/AVAST Software) 0x65880000
Library C:\Program Files\AVAST Software\Avast\AhResNS.dll (avast! Network Shield AAVM Provider Library/AVAST Software) 0x658C0000
Library C:\Program Files\AVAST Software\Avast\AhResP2P.dll (avast! P2P Shield AAVM Provider Library/AVAST Software) 0x658A0000
Library C:\Program Files\AVAST Software\Avast\AhResStd.dll (avast! Standard Shield AAVM Provider Library/AVAST Software) 0x65800000
Library C:\Program Files\AVAST Software\Avast\AhResWS.dll (avast! HTTP Scanner AAVM Provider Library/AVAST Software) 0x658E0000
Library C:\Program Files\AVAST Software\Avast\ashMaiSv.dll (avast! e-Mail Scanner Service/AVAST Software) 0x65200000
Library C:\Program Files\AVAST Software\Avast\ashWebSv.dll (avast! Web Scanner/AVAST Software) 0x65100000
Library C:\Program Files\Bonjour\mdnsNSP.dll (Bonjour Namespace Provider/Apple Inc.) 0x06950000
Library C:\Program Files\AVAST Software\Avast\ashWsFtr.dll (avast! Web Shield Filter Module/AVAST Software) 0x68300000
Library C:\Program Files\AVAST Software\Avast\defs\11052800\aswEngin.dll (High level antivirus engine/AVAST Software) 0x08350000
Library C:\Program Files\AVAST Software\Avast\defs\11052800\aswCmnOS.dll (Antivirus HW dependent library/AVAST Software) 0x06170000
Library C:\Program Files\AVAST Software\Avast\defs\11052800\aswCmnIS.dll (Antivirus independent functions/AVAST Software) 0x061A0000
Library C:\Program Files\AVAST Software\Avast\defs\11052800\aswCmnBS.dll (Common functions/AVAST Software) 0x061E0000
Library C:\Program Files\AVAST Software\Avast\defs\11052800\aswScan.dll (Low level antivirus engine/AVAST Software) 0x06BA0000
Library C:\Program Files\AVAST Software\Avast\defs\11052800\algo.dll 0x08480000
Library C:\Program Files\AVAST Software\Avast\defs\11052801\aswEngin.dll (High level antivirus engine/AVAST Software) 0x64240000
Library C:\Program Files\AVAST Software\Avast\defs\11052801\aswCmnOS.dll (Antivirus HW dependent library/AVAST Software) 0x64000000
Library C:\Program Files\AVAST Software\Avast\defs\11052801\aswCmnIS.dll (Antivirus independent functions/AVAST Software) 0x64100000
Library C:\Program Files\AVAST Software\Avast\defs\11052801\aswCmnBS.dll (Common functions/AVAST Software) 0x64080000
Library C:\Program Files\AVAST Software\Avast\defs\11052801\aswScan.dll (Low level antivirus engine/AVAST Software) 0x64200000
Library C:\Program Files\AVAST Software\Avast\defs\11052801\algo.dll 0x63400000
Library C:\Program Files\AVAST Software\Avast\defs\11052801\arPot.dll (ArPot usermode dll component/AVAST Software) 0x63B20000

Process C:\WINDOWS\Explorer.EXE (Windows Explorer/Microsoft Corporation) 1752
Library C:\Program Files\AVAST Software\Avast\snxhk.dll (avast! snxhk/AVAST Software) 0x64D00000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000
Library C:\Program Files\AVAST Software\Avast\ashShell.dll (avast! Shell Extension/AVAST Software) 0x64E40000
Library C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll (PDF Shell Extension/Adobe Systems, Inc.) 0x02D70000
Library C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll (Malwarebytes' Anti-Malware/Malwarebytes Corporation) 0x02E50000

Process C:\WINDOWS\system32\spoolsv.exe (Spooler SubSystem App/Microsoft Corporation) 1852
Library C:\Program Files\AVAST Software\Avast\snxhk.dll (avast! snxhk/AVAST Software) 0x64D00000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000
Library C:\WINDOWS\system32\msonpmon.dll (Microsoft Office OneNote 2007 Printer Driver/Microsoft Corporation) 0x00B10000
Library C:\WINDOWS\System32\spool\PRTPROCS\W32X86\filterpipelineprintproc.dll (Print Filter Pipeline Proxy/Microsoft Corporation) 0x3F420000
Library C:\WINDOWS\System32\spool\PRTPROCS\W32X86\msonpppr.dll (Microsoft Office OneNote 2007 Printer Driver/Microsoft Corporation) 0x00D90000
Library C:\Program Files\Bonjour\mdnsNSP.dll (Bonjour Namespace Provider/Apple Inc.) 0x64000000

Process C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 2168
Library C:\Program Files\AVAST Software\Avast\snxhk.dll (avast! snxhk/AVAST Software) 0x64D00000
Library C:\WINDOWS\System32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000
Library C:\WINDOWS\System32\strmfilt.dll (Stream Filter Library/Microsoft Corporation) 0x6F290000

Process C:\WINDOWS\system32\hkcmd.exe (hkcmd Module/Intel Corporation) 2180
Library C:\WINDOWS\system32\hkcmd.exe (hkcmd Module/Intel Corporation) 0x00400000
Library C:\Program Files\AVAST Software\Avast\snxhk.dll (avast! snxhk/AVAST Software) 0x64D00000
Library C:\WINDOWS\system32\hccutils.DLL (hccutils Module/Intel Corporation) 0x10000000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000
Library C:\WINDOWS\system32\igfxdev.dll (igfxdev Module/Intel Corporation) 0x009D0000
Library C:\WINDOWS\system32\igfxsrvc.dll (igfxsrvc Module/Intel Corporation) 0x00AA0000
Library C:\WINDOWS\system32\igfxres.dll (xxxxres Module/Intel Corporation) 0x00B20000
Library C:\WINDOWS\system32\igfxhk.dll (igfxhk Module/Intel Corporation) 0x00B60000

Process C:\WINDOWS\SOUNDMAN.EXE (Realtek Sound Manager/Realtek Semiconductor Corp.) 2188
Library C:\WINDOWS\SOUNDMAN.EXE (Realtek Sound Manager/Realtek Semiconductor Corp.) 0x00400000
Library C:\Program Files\AVAST Software\Avast\snxhk.dll (avast! snxhk/AVAST Software) 0x64D00000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\Program Files\QuickTime\qttask.exe (QuickTime Task/Apple Inc.) 2212
Library C:\Program Files\QuickTime\qttask.exe (QuickTime Task/Apple Inc.) 0x00400000
Library C:\Program Files\AVAST Software\Avast\snxhk.dll (avast! snxhk/AVAST Software) 0x64D00000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\Program Files\AVAST Software\Avast\avastUI.exe (avast! Antivirus/AVAST Software) 2220
Library C:\Program Files\AVAST Software\Avast\avastUI.exe (avast! Antivirus/AVAST Software) 0x00400000
Library C:\Program Files\AVAST Software\Avast\aswUtil.dll (avast! Utility library/AVAST Software) 0x64780000
Library C:\Program Files\AVAST Software\Avast\ashBase.dll (Basic Functionality Module/AVAST Software) 0x64500000
Library C:\Program Files\AVAST Software\Avast\aswEngLdr.dll (Antivirus engine loader/AVAST Software) 0x64BC0000
Library C:\Program Files\AVAST Software\Avast\aswCmnOS.dll (Antivirus HW dependent library/AVAST Software) 0x64C00000
Library C:\Program Files\AVAST Software\Avast\aswCmnIS.dll (Antivirus independent functions/AVAST Software) 0x64C40000
Library C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) 0x64C80000
Library C:\Program Files\AVAST Software\Avast\ashTask.dll (Task Handling Module/AVAST Software) 0x64800000
Library C:\Program Files\AVAST Software\Avast\aswAux.dll (avast! Auxiliary Library/AVAST Software) 0x64580000
Library C:\Program Files\AVAST Software\Avast\aswLog.dll (avast! Log library/AVAST Software) 0x64700000
Library C:\Program Files\AVAST Software\Avast\aswSqLt.dll (avast! SQLite library/AVAST Software) 0x64840000
Library C:\Program Files\AVAST Software\Avast\aswProperty.dll (avast! Property Storage library/AVAST Software) 0x64740000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000
Library C:\Program Files\AVAST Software\Avast\1033\Base.dll (avast! English Basic Module/AVAST Software) 0x66080000
Library C:\Program Files\AVAST Software\Avast\aswData.dll (avast! UI Layer library/AVAST Software) 0x64680000
Library C:\Program Files\AVAST Software\Avast\ashTaskEx.dll (avast! TaskEx library/AVAST Software) 0x647C0000
Library C:\Program Files\AVAST Software\Avast\Aavm4h.dll (avast! Asynchronous Virus Monitor (AAVM)/AVAST Software) 0x65000000
Library C:\Program Files\AVAST Software\Avast\AavmRpch.dll (avast! AAVM Remote Procedure Call Library/AVAST Software) 0x65400000
Library C:\Program Files\AVAST Software\Avast\1033\UILangRes.dll (UILangRes/AVAST Software) 0x660C0000
Library C:\Program Files\AVAST Software\Avast\CommonRes.dll (Common UI resources/AVAST Software) 0x66100000
Library C:\Program Files\Bonjour\mdnsNSP.dll (Bonjour Namespace Provider/Apple Inc.) 0x64000000
Library C:\WINDOWS\system32\L3CODECA.ACM (MPEG Layer-3 Audio Codec for MSACM/Fraunhofer Institut Integrierte Schaltungen IIS) 0x3D520000

Process C:\Program Files\Common Files\Java\Java Update\jusched.exe (Java(TM) Update Scheduler/Sun Microsystems, Inc.) 2228
Library C:\Program Files\Common Files\Java\Java Update\jusched.exe (Java(TM) Update Scheduler/Sun Microsystems, Inc.) 0x00400000
Library C:\Program Files\AVAST Software\Avast\snxhk.dll (avast! snxhk/AVAST Software) 0x64D00000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) &nb


	Logged

cdruet

Jr. Member

Posts: 72

Re: Windows Security Virus

« Reply #101 on: May 28, 2011, 03:40:40 PM »

GMER file # 2

---- Services - GMER 1.0.15 ----

Service (avast! Base Kernel-Mode Device Driver for Windows NT/2000/XP/AVAST Software) [SYSTEM] Aavmker4
Service C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek AC'97 Audio Driver (WDM)/Realtek Semiconductor Corp.) [MANUAL] ALCXWDM
Service (avast! File System Access Blocking Driver/AVAST Software) [AUTO] aswFsBlk
Service (avast! File System Filter Driver for Windows XP/AVAST Software) [AUTO] aswMon2
Service (avast! TDI RDR Driver/AVAST Software) [SYSTEM] aswRdr
Service (avast! Virtualization Driver/AVAST Software) [SYSTEM] aswSnx
Service (avast! self protection module/AVAST Software) [SYSTEM] aswSP
Service (avast! TDI Filter Driver/AVAST Software) [SYSTEM] aswTdi
Service C:\Program Files\AVAST Software\Avast\AvastSvc.exe (avast! Service/AVAST Software) [AUTO] avast! Antivirus
Service C:\WINDOWS\System32\Drivers\BANTExt.sys [SYSTEM] BANTExt
Service C:\Program Files\Bonjour\mDNSResponder.exe (Bonjour Service/Apple Inc.) [AUTO] Bonjour Service
Service C:\DOCUME~1\DAVID&~1\LOCALS~1\Temp\catchme.sys [MANUAL] catchme
Service C:\WINDOWS\system32\DRIVERS\e100b325.sys (NDIS 5.1 driver/Intel Corporation) [MANUAL] E100B
Service [MANUAL] FTDIBUS
Service [MANUAL] FTSER2K
Service C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys (CD DVD Filter/GEAR Software Inc.) [MANUAL] GEARAspiWDM
Service C:\WINDOWS\system32\DRIVERS\USR_BSC2.sys (HSF_HWB2 WDM driver/Conexant Systems, Inc.) [MANUAL] HSFHWBS2
Service C:\WINDOWS\system32\DRIVERS\USR_MDM.sys (HSF_DP driver/Conexant Systems, Inc.) [MANUAL] HSF_DP
Service C:\WINDOWS\system32\DRIVERS\ialmnt5.sys (Intel Graphics Miniport Driver/Intel Corporation) [MANUAL] ialm
Service C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (IDriverT Module/Macrovision Corporation) [MANUAL] IDriverT
Service ILADFtmi
Service C:\Program Files\Java\jre6\bin\jqs.exe (Java(TM) Quick Starter Service/Sun Microsystems, Inc.) [AUTO] JavaQuickStarterService
Service C:\WINDOWS\System32\Drivers\toywdm.sys (Universal Serial Bus Camera Driver/Windows (R) 2000 DDK provider) [MANUAL] JL2005
Service C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys (Diagnostic Interface DRIVER/Conexant) [AUTO] mdmxsdk
Service MSDTC Bridge 3.0.0.0
Service c:\Program Files\Intel\NCS\Sync\NetSvc.exe (NetSvc Module/Intel(R) Corporation) [MANUAL] NetSvc
Service Outlook
Service C:\WINDOWS\system32\drivers\PalmUSBD.sys (USB Driver for Palm OS Handheld Devices/PalmSource, Inc.) [MANUAL] PalmUSBD
Service C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies DirectParallel IO Library/Parallel Technologies, Inc.) [MANUAL] Ptilink
Service RSGatherer
Service RSGTHRSVC
Service RSIndex
Service RSSearch
Service C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision SECURITY Driver/Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [MANUAL] Secdrv
Service ServiceModelEndpoint 3.0.0.0
Service ServiceModelOperation 3.0.0.0
Service ServiceModelService 3.0.0.0
Service SMSvcHost 3.0.0.0
Service C:\WINDOWS\system32\DRIVERS\StreamIP.sys (Microsoft IP Test Driver/Microsoft Corporation) [MANUAL] streamip
Service [MANUAL] TlntSvr
Service C:\WINDOWS\system32\DRIVERS\HSF_USR.sys (HSF_CNXT driver/Conexant Systems, Inc.) [MANUAL] winachsf
Service Windows Workflow Foundation 3.0.0.0
Service Wmi

---- EOF - GMER 1.0.15 ----


	Logged

Jintan

Administrator
Hero Member

Posts: 3883

Re: Windows Security Virus

« Reply #102 on: May 28, 2011, 05:18:59 PM »

Sorry for the long log, but Avast has a lot of "hooks" of it's own. It, and malware, uses these to monitor, and effect changes to, running processes.

Nothing in that Gmer log though.

Go here and download USEC.at's radix_installer_trial.zip. Then unzip that and click the radixgui.exe to open the scan display.

Then without making any other changes click the Check button to start the scan. Once it has completed click the Save Log button and save that to a location you can return to. Then click the "X" to close the Radix scanner.

That will be very much a killer of a log file, so zip a copy of it, and send it to jintan @ malwarecrypt.com as an attachment. Please place "Submitted Files -cdruet/mc/radix" as the email Subject.

Radix also has the ability of locating, and making copies of, what are at locations like these:

Entrypoint Error: ChangeServiceConfigA Unknown Dest. address is: 0x003B0B09


	Logged

cdruet

Jr. Member

Posts: 72

Re: Windows Security Virus

« Reply #103 on: May 28, 2011, 05:37:20 PM »

How do I "zip" a file?


	Logged

Jintan

Administrator
Hero Member

Posts: 3883

Re: Windows Security Virus

« Reply #104 on: May 28, 2011, 06:32:26 PM »

Right click the file - Send To - Compressed (zipped) Folder.

I also forgot about the virtual memory. Please return to that location and change it to allow the system to monitor it. Then click the Set button, Apply/OK.


	Logged

Pages: 1 ... 5 6 [7] 8 9

« previous next »