Infected with trojan.please help!!!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Architype

Thread Starter
Joined
Mar 27, 2012
Messages
34
The issue first popped up when I tried to run the disk cleanup tool.My Avira anti virus said their was a Trojan running called TR/Crypt.ZPACK.Gen8. It seems to pop up on my avira anti virus about once every 30 minutes or so.Also, when I tried to run Hijackthis, I got a pop up from Hijackthis saying " For some reason your system denied write access to the host file.If any hijack domains are in this file, Hijackthis may not be able to fix them.If that happens you need to edit the file your self.

file: C:\WINDOWS\System32\drivers\etc\hosts


Aside from that, I couldn't get dds.scr file to operate correctly.I downloaded it to my desktop, but when i run it, I get a bunch of unreadable text and the second notepad file never pops up.


Below are my Hijackthis log and my gmer log....thanks for your help.



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:23:42 PM, on 1/19/2013
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Autodesk\Content Service\Connect.Service.ContentService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre7\bin\jqs.exe
c:\Program Files\Autodesk\3ds Max Design 2012\mentalimages\satellite\raysat_3dsmax2012_32server.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\ZyXEL\N220\Common\RalinkRegistryWriter.exe
C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Ask.com\Updater\Updater.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe
C:\Documents and Settings\Admin\Local Settings\Application Data\Akamai\netsession_win.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ZyXEL\N220\Common\N220.exe
C:\Documents and Settings\Admin\Local Settings\Application Data\Akamai\netsession_win.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Admin\Application Data\Dropbox\bin\Dropbox.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Admin\Desktop\HijackThis(3).exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.yahoo.com?type=994519&fr=spigot-yhp-ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6081010
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>
R3 - URLSearchHook: Vuze Remote Toolbar - {05478A66-EDB6-4A22-A870-A5987F80A7DA} - C:\Program Files\Vuze Remote Toolbar\IE\6.6\vuzeToolbarIE.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Vuze Remote Toolbar - {05478A66-EDB6-4A22-A870-A5987F80A7DA} - C:\Program Files\Vuze Remote Toolbar\IE\6.6\vuzeToolbarIE.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Avira SearchFree Toolbar plus Web Protection - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Vuze Remote Toolbar - {05478A66-EDB6-4A22-A870-A5987F80A7DA} - C:\Program Files\Vuze Remote Toolbar\IE\6.6\vuzeToolbarIE.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SearchSettings] "C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe"
O4 - HKCU\..\Run: [Akamai NetSession Interface] "C:\Documents and Settings\Admin\Local Settings\Application Data\Akamai\netsession_win.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Startup: Dropbox.lnk = C:\Documents and Settings\Admin\Application Data\Dropbox\bin\Dropbox.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: DRSpawner.lnk = C:\Documents and Settings\All Users\Application Data\ASGvis\DRSpawner\DRSpawner.exe
O4 - Global Startup: Wireless N-lite USB Adapter Utility.lnk = C:\Program Files\ZyXEL\N220\Common\N220.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1ABA5FAC-1417-422B-BA82-45C35E2C908B} (20-20 3D Viewer for IKEA) - http://kitchenplanner.ikea.com/US/Core/Player/2020PlayerAX_IKEA_Win32.cab
O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 3D Viewer) - http://kitchenplanner.ikea.com/US/Core/Player/2020PlayerAX_Win32.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (file missing)
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira Realtime Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira Web Protection (AntiVirWebService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Application Updater - Spigot, Inc. - C:\Program Files\Application Updater\ApplicationUpdater.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Autodesk Content Service - Unknown owner - C:\Program Files\Autodesk\Content Service\Connect.Service.ContentService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Flexera Software, Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe
O23 - Service: mental ray 3.9 Satellite for Autodesk 3ds Max Design 2012 32-bit - English 32-bit (mi-raysat_3dsmax2012_32) - Unknown owner - c:\Program Files\Autodesk\3ds Max Design 2012\mentalimages\satellite\raysat_3dsmax2012_32server.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ralink Registry Writer (RalinkRegistryWriter) - Ralink Technology, Corp. - C:\Program Files\ZyXEL\N220\Common\RalinkRegistryWriter.exe
O23 - Service: SecureStorageService - Unknown owner - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe (file missing)
O23 - Service: Skype C2C Service - Skype Technologies S.A. - C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: NTRU TSS v1.2.1.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
O23 - Service: WaveEnrollmentService - Unknown owner - C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 16488 bytes





GMER 2.0.18444 - http://www.gmer.net
Rootkit scan 2013-01-19 15:20:34
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST9120823ASG rev.3.ADE 111.79GB
Running: tg289skd.exe; Driver: C:\DOCUME~1\Admin\LOCALS~1\Temp\fxtdypog.sys


---- System - GMER 2.0 ----

SSDT B878124C ZwClose
SSDT B8781206 ZwCreateKey
SSDT B8781256 ZwCreateSection
SSDT B87811FC ZwCreateThread
SSDT B878120B ZwDeleteKey
SSDT B8781215 ZwDeleteValueKey
SSDT B8781247 ZwDuplicateObject
SSDT B878121A ZwLoadKey
SSDT B87811E8 ZwOpenProcess
SSDT B87811ED ZwOpenThread
SSDT B878126F ZwQueryValueKey
SSDT B8781224 ZwReplaceKey
SSDT B8781260 ZwRequestWaitReplyPort
SSDT B878121F ZwRestoreKey
SSDT B878125B ZwSetContextThread
SSDT B8781265 ZwSetSecurityObject
SSDT B8781210 ZwSetValueKey
SSDT B878126A ZwSystemDebugControl
SSDT B87811F7 ZwTerminateProcess

---- Kernel code sections - GMER 2.0 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2DC4 805046BC 4 Bytes CALL A708BED2
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6B4A3A0, 0x59FFE5, 0xE8000020]

---- EOF - GMER 2.0 ----
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Download ComboFix from Hereto your Desktop.

**Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer**
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Very Important! Temporarily disable your anti-virus and anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
  • Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re enable the protection again after combofix has finished
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running
Double click on renamed combofix.exe & follow the prompts.​
If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.Read HERE why we disable autoruns

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

Please tell us if it has cured the problems or if there are any outstanding issues

*EXTRA NOTES*
  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot is due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...
 

Architype

Thread Starter
Joined
Mar 27, 2012
Messages
34
Hi, I ran combo fix. Here's the log. Thanks.




ComboFix 13-01-31.03 - Admin 01/31/2013 16:08:13.13.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2781 [GMT -5:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((( Files Created from 2012-12-28 to 2013-01-31 )))))))))))))))))))))))))))))))
.
.
2013-01-31 06:55 . 2013-01-31 06:55 -------- d-----w- c:\documents and settings\Admin\Application Data\Search Settings
2013-01-31 06:55 . 2013-01-31 06:55 -------- d-----w- c:\program files\Application Updater
2013-01-31 06:55 . 2013-01-31 06:55 -------- d-----w- c:\program files\Vuze Remote Toolbar
2013-01-31 06:55 . 2013-01-31 06:55 -------- d-----w- c:\program files\Common Files\Spigot
2013-01-03 03:56 . 2013-01-03 03:56 -------- d-----w- c:\program files\Dropbox
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-16 12:23 . 2004-08-11 22:00 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-26 06:14 . 2012-06-26 00:46 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-26 06:14 . 2011-07-07 04:16 73656 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-13 01:25 . 2004-08-11 22:00 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-06 02:01 . 2009-08-19 21:07 1371648 ----a-w- c:\windows\system32\msxml6.dll
2011-07-07 03:46 . 2011-07-07 03:46 13683064 -c--a-w- c:\program files\Firefox Setup 5.0.exe
2013-01-19 19:31 . 2013-01-19 19:30 262552 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-07-21 19:19 . 2013-01-19 19:30 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{05478A66-EDB6-4A22-A870-A5987F80A7DA}"= "c:\program files\Vuze Remote Toolbar\IE\6.7\vuzeToolbarIE.dll" [2013-01-10 1348416]
.
[HKEY_CLASSES_ROOT\clsid\{05478a66-edb6-4a22-a870-a5987f80a7da}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{05478A66-EDB6-4A22-A870-A5987F80A7DA}]
2013-01-10 21:54 1348416 ----a-w- c:\program files\Vuze Remote Toolbar\IE\6.7\vuzeToolbarIE.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{05478A66-EDB6-4A22-A870-A5987F80A7DA}"= "c:\program files\Vuze Remote Toolbar\IE\6.7\vuzeToolbarIE.dll" [2013-01-10 1348416]
.
[HKEY_CLASSES_ROOT\clsid\{05478a66-edb6-4a22-a870-a5987f80a7da}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\Admin\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\Admin\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\Admin\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\Admin\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akamai NetSession Interface"="c:\documents and settings\Admin\Local Settings\Application Data\Akamai\netsession_win.exe" [2012-10-09 4441920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-21 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-08-10 348664]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"NVHotkey"="nvHotkey.dll" [2010-07-09 178792]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-05-20 119152]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-21 30192]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-07-28 397992]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"SearchSettings"="c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe" [2013-01-10 1250112]
.
c:\documents and settings\Admin\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Admin\Application Data\Dropbox\bin\Dropbox.exe [2013-1-20 28539272]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
DRSpawner.lnk - c:\documents and settings\All Users\Application Data\ASGvis\DRSpawner\DRSpawner.exe [2012-6-5 2080768]
Wireless N-lite USB Adapter Utility.lnk - c:\program files\ZyXEL\N220\Common\N220.exe [2011-5-27 1990656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 20:20 73728 ----a-w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google SketchUp 7\\SketchUp.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Admin\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
"c:\\Documents and Settings\\Admin\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\ASGvis\\DRSpawner\\DRSpawner.exe"=
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [4/2/2012 7:10 PM 36000]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/11/2004 5:00 PM 14336]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/2/2012 7:10 PM 86224]
R2 AntiVirWebService;Avira Web Protection;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [4/2/2012 7:10 PM 465360]
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [1/10/2013 4:46 PM 793600]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 2:21 PM 79432]
R2 Autodesk Content Service;Autodesk Content Service;c:\program files\Autodesk\Content Service\Connect.Service.ContentService.exe [2/2/2011 1:08 PM 18656]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [8/11/2004 5:00 PM 5120]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 12:32 PM 97536]
S2 mi-raysat_3dsmax2012_32;mental ray 3.9 Satellite for Autodesk 3ds Max Design 2012 32-bit - English 32-bit;c:\program files\Autodesk\3ds Max Design 2012\mentalimages\satellite\raysat_3dsmax2012_32server.exe [2/23/2011 6:59 AM 86016]
S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [5/30/2012 12:56 PM 3048136]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [11/9/2012 12:21 PM 160944]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [10/10/2008 10:26 AM 30192]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [1/14/2012 2:31 PM 30576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-31 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-01 06:03]
.
2013-01-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-20 03:31]
.
2013-01-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-20 03:31]
.
2013-01-31 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-07-28 02:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.yahoo.com?type=994519&fr=spigot-yhp-ie
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6081010
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\8v2j09ed.default-1348028205828\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=994519&p=
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-31 16:22
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_ce5ba24.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,49,88,81,51,85,12,33,4d,84,27,bd,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,49,88,81,51,85,12,33,4d,84,27,bd,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(668)
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'lsass.exe'(724)
c:\program files\Avira\AntiVir Desktop\avsda.dll
.
- - - - - - - > 'explorer.exe'(3768)
c:\windows\system32\WININET.dll
c:\windows\system32\AcSignIcon.dll
c:\documents and settings\Admin\Application Data\Dropbox\bin\DropboxExt.17.dll
c:\program files\Autodesk\Inventor Fusion 2012\AcSignCore16.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2013-01-31 16:26:48
ComboFix-quarantined-files.txt 2013-01-31 21:26
ComboFix2.txt 2012-10-03 01:47
.
Pre-Run: 9,601,753,088 bytes free
Post-Run: 12,542,545,920 bytes free
.
- - End Of File - - 17F0E0501ACF0111D30B41CF99A39E9A
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
there is nothing obviously bad there, so where does Avira keep finding this infection

TR/Crypt.ZPACK.Gen8 is a heuristic detection so could be a false alarm, but until we know what file(s) Avira keeps detecting we can't tell
 

Architype

Thread Starter
Joined
Mar 27, 2012
Messages
34
The detection first popped up when i was running disk clean up. Its been popping up seemingly at random ever since. Also my computer was trying to get a windows system update, but every time it try's to install it fails, but then every time I get on the web and then shutdown it try's to install the update again over and over. Not sure if theirs a connection but the problems began around the same time.
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
when it p[ops up next time, make a careful note of the EXACT file name & path that it is detecting. That will be the only way we can determine what is wrong ( if anything)


which update is failing.
it is completely impossible to help when you only give vague outlines. we need specific hard facts with these sorts of problems
 

Architype

Thread Starter
Joined
Mar 27, 2012
Messages
34
Ok, the file path as far as I can tell from Avira is:

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP270\A0024671.dll


The Update that will not install, and then continues to try to install is:



Security Update for Microsoft .NET Framework 1.1 SP1 on Windows XP, Windows Vista, and Windows Server 2008 x86 (KB2742597)



Thank for your help, these alerts and failed system updates are getting really annoying.
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top