Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

win32: Malware-gen

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

win32: Malware-gen

Unread postby Panthus » September 6th, 2011, 7:57 pm

win32: Malware-gen

use avast normally on windows 7 puts in chest and deletes but keeps coming back.

also tried malwarebytes which said it had removed and now shows clean, but still got symptoms and avast has flagged it again.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Andrew at 0:49:44 on 2011-09-07
Microsoft Windows 7 Professional 6.1.7601.1.1252.44.1033.18.3032.1500 [GMT 1:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Alwil Software\Avast5\afwServ.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\SysWOW64\ANIWConnService.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Virgin Media\Service Manager\ServicepointService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\taskhost.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\rundll32.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\V7 5 BTN Wireless Optical Mouse\ICO.EXE
C:\Program Files (x86)\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\V7 5 BTN Wireless Optical Mouse\Pelmiced.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [Speech Recognition] "C:\Windows\Speech\Common\sapisvr.exe" -SpeechUX -Startup
mRun: [ANIWZCS2Service] C:\Program Files (x86)\ANI\ANIWZCS2 Service\WZCSLDR2.exe
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
mRun: [avast] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
LSP: mswsock.dll
Trusted Zone: surrey.ac.uk\ulearn
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{21C18725-03DD-4777-A768-6B69AF2F415D} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{21C18725-03DD-4777-A768-6B69AF2F415D}\244584F6D65684572623D21584A525 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{21C18725-03DD-4777-A768-6B69AF2F415D}\35B4955414445334 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{21C18725-03DD-4777-A768-6B69AF2F415D}\458656841647476416D696C697 : DhcpNameServer = 192.168.168.254
TCP: Interfaces\{21C18725-03DD-4777-A768-6B69AF2F415D}\86162777F6F64686F6D656 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{21C18725-03DD-4777-A768-6B69AF2F415D}\C696E6B6379737 : DhcpNameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{8D5A5A7C-336F-49D3-B5AE-69BACD25B29F} : DhcpNameServer = 192.168.0.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [ANIWZCS2Service] C:\Program Files (x86)\ANI\ANIWZCS2 Service\WZCSLDR2.exe
mRun-x64: [(Default)]
mRun-x64: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
mRun-x64: [avast] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\0cxeddwj.default\
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Virgin Media\Service Manager\nprpspa.dll
FF - plugin: C:\Users\Andrew\AppData\Local\Google\Update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: C:\Users\Andrew\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Windows\system32\Wat\npWatWeb.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 aswNdis;avast! Firewall NDIS Filter Service;C:\Windows\system32\DRIVERS\aswNdis.sys --> C:\Windows\system32\DRIVERS\aswNdis.sys [?]
R0 aswNdis2;avast! Firewall Core Firewall Service;C:\Windows\system32\drivers\aswNdis2.sys --> C:\Windows\system32\drivers\aswNdis2.sys [?]
R0 DRVECDB;DRVECDB;C:\Windows\system32\Drivers\DRVECDB.SYS --> C:\Windows\system32\Drivers\DRVECDB.SYS [?]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 aswFW;avast! TDI Firewall driver;C:\Windows\system32\drivers\aswFW.sys --> C:\Windows\system32\drivers\aswFW.sys [?]
R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
R1 DLARTL_E;DLARTL_E;C:\Windows\system32\Drivers\DLARTL_E.SYS --> C:\Windows\system32\Drivers\DLARTL_E.SYS [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 ANIWConnService;ANIWConn Service;C:\Windows\System32\ANIWConnService.exe [2010-9-18 147456]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2011-9-7 44768]
R2 avast! Firewall;avast! Firewall;C:\Program Files\Alwil Software\Avast5\afwServ.exe [2011-9-7 127192]
R2 DLABMFSE;DLABMFSE;C:\Windows\system32\DLA\DLABMFSE.SYS --> C:\Windows\system32\DLA\DLABMFSE.SYS [?]
R2 DLABOIOE;DLABOIOE;C:\Windows\system32\DLA\DLABOIOE.SYS --> C:\Windows\system32\DLA\DLABOIOE.SYS [?]
R2 DLADResE;DLADResE;C:\Windows\system32\DLA\DLADResE.SYS --> C:\Windows\system32\DLA\DLADResE.SYS [?]
R2 DLAIFS_E;DLAIFS_E;C:\Windows\system32\DLA\DLAIFS_E.SYS --> C:\Windows\system32\DLA\DLAIFS_E.SYS [?]
R2 DLAOPIOE;DLAOPIOE;C:\Windows\system32\DLA\DLAOPIOE.SYS --> C:\Windows\system32\DLA\DLAOPIOE.SYS [?]
R2 DLAPoolE;DLAPoolE;C:\Windows\system32\DLA\DLAPoolE.SYS --> C:\Windows\system32\DLA\DLAPoolE.SYS [?]
R2 DLAUDF_E;DLAUDF_E;C:\Windows\system32\DLA\DLAUDF_E.SYS --> C:\Windows\system32\DLA\DLAUDF_E.SYS [?]
R2 DLAUDFAE;DLAUDFAE;C:\Windows\system32\DLA\DLAUDFAE.SYS --> C:\Windows\system32\DLA\DLAUDFAE.SYS [?]
R2 DRVEDDM;DRVEDDM;C:\Windows\system32\Drivers\DRVEDDM.SYS --> C:\Windows\system32\Drivers\DRVEDDM.SYS [?]
R2 ezGOSvc;Easybits GO Services for Windows;C:\Windows\system32\svchost.exe -k netsvcs [2009-7-14 20992]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S1 DLACDBHE;DLACDBHE;C:\Windows\system32\Drivers\DLACDBHE.SYS --> C:\Windows\system32\Drivers\DLACDBHE.SYS [?]
S2 Ca1528av;SPCA1528 Video Camera Service;C:\Windows\system32\Drivers\Ca1528av.sys --> C:\Windows\system32\Drivers\Ca1528av.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 Bulk1528;SPCA1528 Still Camera Service;C:\Windows\system32\Drivers\Bulk1528.sys --> C:\Windows\system32\Drivers\Bulk1528.sys [?]
S3 rt2870;D-Link 802.11n USB Wireless LAN Card Driver;C:\Windows\system32\DRIVERS\rt2870.sys --> C:\Windows\system32\DRIVERS\rt2870.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
.
=============== Created Last 30 ================
.
2011-09-06 23:17:51 -------- d-----w- C:\Users\Andrew\AppData\Roaming\Malwarebytes
2011-09-06 23:17:44 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-09-06 23:17:44 -------- d-----w- C:\ProgramData\Malwarebytes
2011-09-06 23:17:40 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-09-06 23:17:40 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-09-06 23:09:19 140120 ----a-w- C:\Windows\System32\drivers\aswFW.sys
2011-09-06 23:09:03 258392 ----a-w- C:\Windows\System32\drivers\aswNdis2.sys
2011-09-06 14:10:12 -------- d-----we C:\Windows\system64
2011-09-06 11:58:53 8862544 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{D14F45FB-AE67-4E13-81D4-B0FDB798DF92}\mpengine.dll
2011-09-02 23:12:22 -------- d-----w- C:\T3Fun
2011-09-02 20:47:18 -------- d-----w- C:\Program Files (x86)\Hellgate Global
2011-09-02 19:35:16 -------- d-----w- C:\Download
2011-09-02 19:34:58 -------- d-----w- C:\ProgramData\xOcean
2011-09-02 19:34:22 -------- d-----w- C:\Program Files (x86)\BlastShark
2011-08-24 10:25:18 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-08-24 10:25:18 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-08-15 16:16:52 -------- d-----w- C:\Program Files (x86)\VirtualFem
2011-08-15 16:07:24 -------- d-----w- C:\Users\Andrew\AppData\Local\Babylon
2011-08-15 16:07:23 -------- d-----w- C:\Users\Andrew\AppData\Roaming\Babylon
2011-08-15 16:07:23 -------- d-----w- C:\ProgramData\Babylon
2011-08-13 18:17:18 -------- d-----w- C:\Users\Andrew\AppData\Local\{79BFB9CF-932F-41E7-B241-FCC0981E367B}
2011-08-12 09:22:57 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-08-12 09:22:56 1389056 ----a-w- C:\Windows\System32\wininet.dll
2011-08-11 08:10:59 338432 ----a-w- C:\Windows\System32\conhost.exe
.
==================== Find3M ====================
.
2011-09-06 20:45:29 41184 ----a-w- C:\Windows\avastSS.scr
2011-09-06 20:38:18 601944 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2011-09-06 20:36:30 65368 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2011-08-29 22:14:44 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-07-22 05:42:23 2303488 ----a-w- C:\Windows\System32\jscript9.dll
2011-07-22 05:32:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-07-22 02:54:43 1797632 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-07-22 02:44:36 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-07-16 05:41:50 362496 ----a-w- C:\Windows\System32\wow64win.dll
2011-07-16 05:41:49 243200 ----a-w- C:\Windows\System32\wow64.dll
2011-07-16 05:41:49 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2011-07-16 05:39:10 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2011-07-16 05:37:12 421888 ----a-w- C:\Windows\System32\KernelBase.dll
2011-07-16 04:29:19 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2011-07-16 04:26:00 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2011-07-16 04:25:37 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2011-07-16 04:24:23 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2011-07-16 04:24:22 272384 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2011-07-16 02:21:44 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2011-07-16 02:21:41 2048 ----a-w- C:\Windows\SysWow64\user.exe
2011-07-16 02:17:19 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:17:19 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:17:19 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:17:19 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2011-07-12 10:34:00 96104 ----a-w- C:\Windows\System32\dns-sd.exe
2011-07-12 10:34:00 85864 ----a-w- C:\Windows\System32\dnssd.dll
2011-07-12 10:20:54 83816 ----a-w- C:\Windows\SysWow64\dns-sd.exe
2011-07-12 10:20:54 73064 ----a-w- C:\Windows\SysWow64\dnssd.dll
2011-07-09 02:46:28 288768 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-07-04 10:59:17 80256 ----a-w- C:\Windows\SysWow64\ezGOSvc.dll
2011-07-04 10:59:16 663424 ----a-w- C:\Windows\SysWow64\ezGOSvcApp.exe
2011-07-04 10:33:11 175616 ----a-w- C:\Windows\System32\msclmd.dll
2011-07-04 10:33:11 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2011-06-24 05:34:53 214528 ----a-w- C:\Windows\System32\winsrv.dll
2011-06-23 05:43:12 5561216 ----a-w- C:\Windows\System32\ntoskrnl.exe
2011-06-23 04:33:57 3967872 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2011-06-23 04:33:57 3912576 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2011-06-21 06:34:00 1923968 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-06-15 10:02:23 212992 ----a-w- C:\Windows\System32\odbctrac.dll
2011-06-15 10:02:23 163840 ----a-w- C:\Windows\System32\odbccp32.dll
2011-06-15 10:02:23 106496 ----a-w- C:\Windows\System32\odbccu32.dll
2011-06-15 10:02:23 106496 ----a-w- C:\Windows\System32\odbccr32.dll
2011-06-15 08:55:19 86016 ----a-w- C:\Windows\SysWow64\odbccu32.dll
2011-06-15 08:55:19 81920 ----a-w- C:\Windows\SysWow64\odbccr32.dll
2011-06-15 08:55:19 319488 ----a-w- C:\Windows\SysWow64\odbcjt32.dll
2011-06-15 08:55:19 163840 ----a-w- C:\Windows\SysWow64\odbctrac.dll
2011-06-15 08:55:19 122880 ----a-w- C:\Windows\SysWow64\odbccp32.dll
2011-06-11 03:07:25 3137536 ----a-w- C:\Windows\System32\win32k.sys
.
============= FINISH: 0:53:59.36 ===============



.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 08/11/2009 17:07:07
System Uptime: 07/09/2011 00:27:13 (0 hours ago)
.
Motherboard: Dell Inc. | | 0G848F
Processor: Celeron(R) Dual-Core CPU T3000 @ 1.80GHz | Microprocessor | 1795/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 298 GiB total, 100.367 GiB free.
D: is CDROM (CDFS)
E: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: Windows Firewall Authorization Driver
Device ID: ROOT\LEGACY_MPSDRV\0000
Manufacturer:
Name: Windows Firewall Authorization Driver
PNP Device ID: ROOT\LEGACY_MPSDRV\0000
Service: mpsdrv
.
==== System Restore Points ===================
.
RP354: 23/08/2011 09:25:45 - Windows Update
RP355: 25/08/2011 11:32:52 - Windows Update
RP356: 30/08/2011 09:12:18 - Windows Update
RP357: 02/09/2011 12:29:22 - Windows Update
RP358: 02/09/2011 22:08:35 - Installed Hellgate
RP359: 02/09/2011 23:53:23 - Installed Hellgate
RP360: 03/09/2011 00:09:58 - Installed Hellgate
RP361: 06/09/2011 12:57:36 - Windows Update
RP362: 06/09/2011 22:42:37 - Removed Java(TM) 6 Update 22
RP363: 06/09/2011 22:44:50 - Removed Java(TM) 6 Update 26
.
==== Installed Programs ======================
.
ACDSee for PENTAX 3.0
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.5
Adobe Shockwave Player 11.5
ANIWZCS2 Service
Apple Application Support
Apple Software Update
avast! Internet Security
Black & White® 2
Click to Call with Skype
CodeBlocks
Compatibility Pack for the 2007 Office system
D-Link Wireless N DWA-140
D3DX10
Diablo II
Dropbox
Dungeon Siege 2
Dungeon Siege III Demo
EasyBits GO
Express Burn Disc Burning Software
Fences (Free)
Google Chrome
Google Earth Plug-in
Google SketchUp 8
Google Update Helper
Half-Life
Half-Life 2
Half-Life 2: Deathmatch
Half-Life 2: Episode One
Half-Life 2: Episode Two
Half-Life 2: Lost Coast
Half-Life: Blue Shift
Half-Life: Opposing Force
Hellgate
Heroes of Might and Magic
Heroes of Might and Magic 3 Complete
Heroes of Might and Magic 4
Hotfix for Microsoft Visual C++ 2010 Express - ENU (KB2455033)
James Bond 007: Nightfire
Java Auto Updater
LogonStudio
Malwarebytes' Anti-Malware version 1.51.1.1800
Microsoft .NET Framework 4 Multi-Targeting Pack
Microsoft Age of Empires II
Microsoft Age of Empires II: The Conquerors Expansion
Microsoft Application Error Reporting
Microsoft Silverlight
Microsoft SQL Server Compact 3.5 SP2 ENU
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 Express - ENU
Microsoft Works
Mozilla Firefox 6.0.2 (x86 en-GB)
MPLAB C for PIC18 MCUs
MPLAB Tools v8.56
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MyColors
MyColors Sins of a Solar Empire Desktop
NVIDIA PhysX
ObjectDock
Oblivion
OpenOffice.org 3.3
Portal
Portal 2
QuickTime
RecordPad Sound Recorder
Risk II
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
RuneScape Launcher 1.0.4
Sacred
Safari
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft Visual C++ 2010 Express - ENU (KB2251489)
Shockwave
Sins of a Solar Empire
Sins of a Solar Empire - Entrenchment
Skype™ 5.5
Sniper: Art of Victory
Songbird 1.9.3 (Build 1959)
Sonic Activation Module
SPCA1528 PC Driver
Spellforce Platinum
Spotify
Star Wars Jedi Knight Jedi Academy
Steam
Switch Sound File Converter
Team Fortress 2
Team Fortress Classic
UltraStar 0.8.4
Unity Web Player
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Virgin Media Service Manager 3.7.47
VLC media player 1.0.1
Vodafone Mobile Connect Lite
WavePad Sound Editor
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Messenger
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
WinRAR archiver
ZionWorx
.
==== Event Viewer Messages From Past Week ========
.
07/09/2011 00:33:25, Error: Service Control Manager [7001] - The Windows Firewall service depends on the Windows Firewall Authorization Driver service which failed to start because of the following error: Cannot create a file when that file already exists.
07/09/2011 00:33:25, Error: Service Control Manager [7000] - The Windows Firewall Authorization Driver service failed to start due to the following error: Cannot create a file when that file already exists.
07/09/2011 00:29:40, Error: Service Control Manager [7024] - The HomeGroup Listener service terminated with service-specific error %%-2147023143.
07/09/2011 00:28:34, Error: Service Control Manager [7000] - The SPCA1528 Video Camera Service service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
07/09/2011 00:27:20, Error: Application Popup [876] - Driver DLACDBHE.SYS has been blocked from loading.
06/09/2011 12:46:10, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
02/09/2011 11:15:49, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the IPBusEnum service.
02/09/2011 01:34:11, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
.
==== End Of File ===========================
Panthus
Regular Member
 
Posts: 21
Joined: September 6th, 2011, 7:49 pm
Advertisement
Register to Remove

Re: win32: Malware-gen

Unread postby diver79 » September 10th, 2011, 4:44 pm

Hi and welcome to MalwareRemoval.com, sorry for any delay in answering your request for help, the forum is really busy.
My name is Diver79, and I will be helping you with your malware problems. I am currently in training at the Malware University. All of my instructions need to be checked and approved by a teacher, which may lead to a slight delay.

Before we start please note the following important guidelines.
  • The instructions being given are for YOUR computer only! Using these instructions on a different computer, can make it inoperable!
  • If you don't know or understand something, please don't hesitate to ask.
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • Please DO NOT install any other software (or hardware) during the cleaning process.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Note: No Reply Within 3 Days Will Result In Your Topic Being Closed!
Note: If you haven't done so already, please ensure you have read the following article. ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.
Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.
Because of this, I advise you to backup any personal files and folders before you start.
How do I backup my files and folders in XP?
How to backup your data - Vista/Win7

Researching your logs now. Will post instructions soon.

diver79
User avatar
diver79
Retired Graduate
 
Posts: 1004
Joined: January 3rd, 2010, 7:03 pm

Re: win32: Malware-gen

Unread postby Panthus » September 12th, 2011, 4:11 pm

Ok, everything is backed up.
Thanks in advance for the help :)
Panthus
Regular Member
 
Posts: 21
Joined: September 6th, 2011, 7:49 pm

Re: win32: Malware-gen

Unread postby diver79 » September 13th, 2011, 2:33 am

Hi Panthus,

We need to do a registry and file search to confirm if you have the infection I think you have. Please follow the instructions below.

SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :reg
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems
    
    :filefind
    consrv.dll 

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
User avatar
diver79
Retired Graduate
 
Posts: 1004
Joined: January 3rd, 2010, 7:03 pm

Re: win32: Malware-gen

Unread postby Panthus » September 13th, 2011, 2:49 pm

SystemLook 30.07.11 by jpshortstuff
Log created at 19:44 on 13/09/2011 by Andrew
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== reg ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]
"Debug"=""
@="mnmsrvc"
"Kmode"="\SystemRoot\System32\win32k.sys"
"Optional"="Posix"
"Posix"="%SystemRoot%\system32\psxss.exe"
"Required"="Debug Windows"
"Windows"="%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=consrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16"


========== filefind ==========

Searching for "consrv.dll"
C:\Windows\system64\consrv.dll --a---- 31744 bytes [23:31 13/07/2009] [01:39 14/07/2009] 916C7ADECD51AA70359FFA7FD4D6ABF6

-= EOF =-
Panthus
Regular Member
 
Posts: 21
Joined: September 6th, 2011, 7:49 pm

Re: win32: Malware-gen

Unread postby diver79 » September 14th, 2011, 6:42 pm

Hi Panthus,

Apologies for the delay. I had hoped to get back to you today. I am still researching the infection you have and should be able to provide you with further information tomorrow.

Regards,

diver79.
User avatar
diver79
Retired Graduate
 
Posts: 1004
Joined: January 3rd, 2010, 7:03 pm

Re: win32: Malware-gen

Unread postby diver79 » September 15th, 2011, 1:03 pm

Hi Panthus,

I'm afraid I have some bad news for you, unfortunately your computer is infected with a rootkit called zeroaccess that also gives a remote attacker BACKDOOR ACCESS to the machine. Backdoor Trojans are the most dangerous and most widespread type of Trojan. Backdoor Trojans provide the author or "master" of the Trojan with remote "administration" of victims machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, Backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer, change settings on the computer and more. Please read this article by Roger A. Grimes on Remote Access Trojans it will give you an Idea of the severity of the type of infection you have.

What are Remote Access Trojans and why are they dangerous

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).

Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Because of the severity and the capabilities of this type of virus, (it cannot be known what changes to your system it has made or if it opened up other ways into your system) The only responsible course of action I can advise is to reformat your computer and reinstall windows. If you choose to continue and attempt to remove the infection I will be happy to help but cannot provide any guarantee of success. This particular infection has many tripwires designed to prevent security tools from running which may cause further damage to your computer.

Further reading:

What are rootkits from Wikipedia
How do I respond to a possible identity theft and how do I prevent it
Restoring your Vista-W7 backups


Please let me know how you would like to proceed.

diver79
User avatar
diver79
Retired Graduate
 
Posts: 1004
Joined: January 3rd, 2010, 7:03 pm

Re: win32: Malware-gen

Unread postby Panthus » September 15th, 2011, 3:37 pm

i would prefer to proceed, hopefully it will be possible, however i dont have access to the internet except through this pc
Panthus
Regular Member
 
Posts: 21
Joined: September 6th, 2011, 7:49 pm

Re: win32: Malware-gen

Unread postby diver79 » September 15th, 2011, 3:49 pm

Hi Panthus,

OK, I'll do my best to get rid of the infection. First, can you tell me if you have the Windows installation CD that came with the computer?

I am compiling a fix for your problem, it will need to be approved before I can post it.

diver79
User avatar
diver79
Retired Graduate
 
Posts: 1004
Joined: January 3rd, 2010, 7:03 pm

Re: win32: Malware-gen

Unread postby Panthus » September 15th, 2011, 3:53 pm

it wasnt installed from disk, i had a version of windows supplied by my uni on usb, which has since been returned.
though the image used is still on this pc.

also dont know if its relevant but both avast and malware bytes keep blocking potentially dangerous outgoing websites at quite regular intervals.
Panthus
Regular Member
 
Posts: 21
Joined: September 6th, 2011, 7:49 pm

Re: win32: Malware-gen

Unread postby diver79 » September 15th, 2011, 4:41 pm

Hi Panthus,

Do you have a USB drive you can use during this fix?
User avatar
diver79
Retired Graduate
 
Posts: 1004
Joined: January 3rd, 2010, 7:03 pm

Re: win32: Malware-gen

Unread postby Panthus » September 15th, 2011, 4:47 pm

not to hand, but i do have several dvds set up to usb style storage mode and some micro sd cards if those will do
Panthus
Regular Member
 
Posts: 21
Joined: September 6th, 2011, 7:49 pm

Re: win32: Malware-gen

Unread postby diver79 » September 15th, 2011, 5:46 pm

No problem, you will need two blank writeable CD's for the next step though.

diver79.
User avatar
diver79
Retired Graduate
 
Posts: 1004
Joined: January 3rd, 2010, 7:03 pm

Re: win32: Malware-gen

Unread postby diver79 » September 16th, 2011, 3:39 pm

Hi Panthus,

I want to ensure we have sufficient recovery options before we continue. We will do this by first creating a System recovery disk and then by creating a bootable xPud disk that can be used to access the disk if the need arises. You will need two blank writeable CD's/DVD's for this. We will also create a system restore point. Please follow the instructions below.

Step 1 - Create System Recovery disk
  • Click on the Start button.
  • In the Search programs and files text box type recdisc and press Return.
  • The Create a System Repair Disk window should open.
  • Ensure your CD/DVD writer drive is selected and that there is a blank disk in the drive.
  • Click on the Create Disk button and allow the process to finish.


Step 2 - Create bootable xPud USB disk
  • Click here to download xPud. Save it to your Desktop. We will use this later.

    Download and Install ImgBurn
    • Click Here to download ImgBurn. Save it to your Desktop.
    • Double click the file to install the program. Accept the default options and let the installation finish.
    • Once installed follow the steps below to create a bootable disk using the ISO image downloaded earlier.
      Create Bootable Xpud Disk
    • Launch ImgBurn.
    • Select the Option to Write Image file to disk.
    • Click on the folder icon next to the text Please select a file.
    • In the window that appears browse to your desktop and select the file xpud-0.9.2.iso
    • Ensure your CD/DVD writer is selected in the Destination drop down menu and that you have a blank CD/DVD in the drive.
    • Select the Verify checkbox and click the Write icon.
    • ImgBurn will burn the iso image to the disk and let you know if it was succesful or not.


Step 3 - Create a System Restore Point
  • Right-click on the Computer icon and select Properties.
  • In the left pane under Tasks ... click on System protection.
    If UAC prompts for an administrator password or approval, type the password or give your "permission to continue".
  • Select the System Protection tab ...then choose Create.
  • In the System Restore dialog box, type a description for the restore point ... click Create, again.
    A window will pop up with "The Restore Point was created successfully" confirmation message.
  • Click OK ...then close the System Restore dialog.
Please leave the System Restore function "turned on" until we are finished and I give you the 'all clean' sign.
If you have successfully created a System Restore Point...we can proceed.


Let me know how you got on with each of the above steps. If successful we can proceed with the next steps.

diver79.
User avatar
diver79
Retired Graduate
 
Posts: 1004
Joined: January 3rd, 2010, 7:03 pm

Re: win32: Malware-gen

Unread postby Panthus » September 16th, 2011, 4:33 pm

All successfull,
is it worth burning the windows image to disk at some point?
Panthus
Regular Member
 
Posts: 21
Joined: September 6th, 2011, 7:49 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 307 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware