Computer Hope
Software => Computer viruses and spyware => Topic started by: venom7513 on June 30, 2010, 12:09:55 PM
-
I was browsing the web when my Google Chrome crashed (buffer overrun?) and my Avast! Anti virus began movie 40-50 files to my chest. All of witch were in the Drivers folder. It identified all of them as Win32: Qandr Rootkit.
It, at first, looked like it got it however I am stiff unable to start Google Chrome and inside of Firefox (what I am using now) I receive random advertisement tabs.
I did a full scan in safe mode with Avast, nothing came up. I also installed a plethora of other "Rootkit removers" all of witch can find no threat.
I ran DDS. Here is the output:
DDS (Ver_10-03-17.01) - NTFSx86
Run by Alec Larsen at 12:54:07.97 on Wed 06/30/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Starter 6.1.7600.0.1252.1.1033.18.987.260 [GMT -5:00]
SP: Spyware Terminator *disabled* (Updated) {55EE49A8-16BE-4601-BBE6-607B7F7317DE}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_5576240ee6baaa25\STacSV.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Windows\system32\vmnat.exe
C:\Program Files\andLinux\colinux-daemon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\andLinux\colinux-slirp-net-daemon.exe
C:\Program Files\andLinux\colinux-net-daemon.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Windows\system32\vmnetdhcp.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\LiveZilla\LiveZilla.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Sophos\Sophos Anti-Rootkit\sargui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wuauclt.exe
C:\Users\Alec Larsen\AppData\Local\Temp\rwjbcd.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Spyware Terminator\Spywareterminator.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Users\Alec Larsen\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0566.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0566.0\msneshellx.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [SpywareTerminatorUpdate] "c:\program files\spyware terminator\SpywareTerminatorUpdate.exe"
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [liveZilla] "c:\program files\livezilla\LiveZilla.exe" -minimize
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\alecla~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\users\alecla~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\pidgin.lnk - c:\program files\pidgin\pidgin.exe
uPolicies-system: TextValue = a7b9d9cffb24998fd4c097f505b2027a
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
LSP: c:\program files\vmware\vmware player\vsocklib.dll
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/US/TechConsole/x86/RescueControl.cab
DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} - hxxp://win7pro.vlabcenter.com/ActiveX/VMRCActiveXClient1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
============= SERVICES / DRIVERS ===============
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-1-24 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-24 17744]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-1-24 50256]
R2 CoLinuxDriver;CoLinuxDriver;c:\program files\andlinux\linux.sys [2010-6-24 84992]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
=============== Created Last 30 ================
2010-06-30 17:52:19 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2010-06-29 23:33:24 0 d-----w- c:\users\alecla~1\appdata\roaming\Malwarebytes
2010-06-29 23:33:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-29 23:33:09 0 d-----w- c:\programdata\Malwarebytes
2010-06-29 23:33:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-29 23:33:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-29 19:02:28 38848 ----a-w- c:\windows\avastSS.scr
2010-06-29 18:46:48 0 d-----w- c:\windows\system32\wbem\repository
2010-06-29 18:41:52 65536 --sha-w- c:\users\alec larsen\ntuser.dat{a0d37932-83ab-11df-9e92-005056c00008}.TM.blf
2010-06-29 18:41:52 524288 --sha-w- c:\users\alec larsen\ntuser.dat{a0d37932-83ab-11df-9e92-005056c00008}.TMContainer00000000000000000002.regtrans-ms
2010-06-29 18:41:52 524288 --sha-w- c:\users\alec larsen\ntuser.dat{a0d37932-83ab-11df-9e92-005056c00008}.TMContainer00000000000000000001.regtrans-ms
2010-06-29 17:37:59 161106861 ----a-w- c:\windows\MEMORY.DMP
2010-06-28 00:47:19 0 d-----w- c:\program files\IObit
2010-06-28 00:19:22 0 d-----w- c:\program files\MediaMall
2010-06-28 00:19:22 0 d-----w- c:\program files\common files\TV-Websites
2010-06-28 00:19:08 0 d-----w- c:\programdata\MediaMall
2010-06-27 22:24:17 0 d-----w- c:\program files\sterm
2010-06-27 21:05:42 0 d-----w- c:\program files\MSXML 4.0
2010-06-27 20:53:36 0 d-----w- c:\program files\Windows Installer Clean Up
2010-06-27 19:56:57 0 d-----w- c:\users\alecla~1\appdata\roaming\SoftGrid Client
2010-06-27 04:41:05 86408 ----a-w- c:\windows\system32\setupempdrv03.exe
2010-06-27 04:41:05 8456 ----a-w- c:\windows\system32\EuGdiDrv.sys
2010-06-27 04:41:05 1718912 ----a-w- c:\windows\system32\BootMan.exe
2010-06-27 04:41:05 14848 ----a-w- c:\windows\system32\EuEpmGdi.dll
2010-06-27 04:41:05 14216 ----a-w- c:\windows\system32\epmntdrv.sys
2010-06-27 04:28:43 0 d-----w- c:\programdata\LogMeIn
2010-06-27 04:28:27 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-06-27 04:28:27 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys
2010-06-27 04:28:27 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-06-27 04:28:24 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-06-27 04:27:59 0 d-----w- c:\program files\LogMeIn
2010-06-26 21:32:58 0 d-----w- c:\users\alecla~1\appdata\roaming\TP
2010-06-26 17:28:58 0 d-----w- c:\program files\MGTEK
2010-06-26 17:28:58 0 d-----w- c:\program files\common files\MGTEK
2010-06-26 17:28:23 0 d-----w- c:\programdata\MGTEK
2010-06-26 17:08:24 0 d-----w- c:\program files\NaturalSoft
2010-06-26 16:58:37 0 d-----w- c:\program files\Text2mp3
2010-06-26 03:21:28 24576 ----a-w- c:\windows\system32\anotherRunAs.exe
2010-06-26 03:07:17 172032 ----a-w- c:\windows\system32\runasloc.ocx
2010-06-26 03:07:17 0 d-----w- c:\program files\Steel RunAs
2010-06-25 04:02:39 25856 ----a-w- c:\windows\system32\drivers\tap0801co.sys
2010-06-25 04:00:04 0 d-----w- c:\program files\andLinux
2010-06-23 20:13:28 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-23 20:13:28 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-23 20:13:28 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-23 20:13:28 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-23 20:13:28 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-23 04:26:04 0 d-----w- C:\My Drivers
2010-06-23 04:26:04 0 d-----w- C:\Innovative Solutions
2010-06-23 02:39:42 285696 ------w- c:\windows\system32\Cncs232.dll
2010-06-23 02:39:38 0 d-----w- c:\windows\COREL
2010-06-23 02:39:38 0 d-----w- C:\MMFusion
2010-06-23 02:12:16 0 d-----w- c:\program files\NSIS
2010-06-23 02:03:18 0 d-----w- c:\program files\Install Creator
2010-06-23 01:44:17 0 d-----w- c:\users\alecla~1\appdata\roaming\Easeware
2010-06-23 01:44:03 0 d-----w- c:\program files\Easeware
2010-06-23 00:53:30 0 d-----w- c:\programdata\Innovative Solutions
2010-06-23 00:53:14 0 d-----w- c:\program files\Innovative Solutions
2010-06-23 00:48:54 0 d-----w- c:\program files\SystemRequirementsLab
2010-06-23 00:44:17 1286456 ----a-w- c:\windows\system32\ntdll.dll
2010-06-23 00:44:15 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-06-23 00:44:13 199680 ----a-w- c:\windows\system32\mpg2splt.ax
2010-06-23 00:44:12 204288 ----a-w- c:\windows\system32\MSNP.ax
2010-06-20 02:52:52 2270208 ----a-w- c:\windows\system32\copyurl.exe
2010-06-18 23:38:18 0 d-----w- C:\mounted_images
2010-06-17 02:59:29 0 d-----w- c:\program files\Super Fast Shutdown
2010-06-17 01:12:32 0 d-----w- c:\program files\Cain
2010-06-17 00:47:32 52 ----a-w- c:\windows\system32\winpeshl.ini
2010-06-16 03:21:43 0 d-----w- c:\program files\Windows Imaging
2010-06-16 02:56:05 524288 --sha-w- c:\users\alec larsen\ntuser.dat{a08aa64f-78f2-11df-b1e4-005056c00008}.TMContainer00000000000000000002.regtrans-ms
2010-06-16 02:56:05 524288 --sha-w- c:\users\alec larsen\ntuser.dat{a08aa64f-78f2-11df-b1e4-005056c00008}.TMContainer00000000000000000001.regtrans-ms
2010-06-16 02:56:04 65536 --sha-w- c:\users\alec larsen\ntuser.dat{a08aa64f-78f2-11df-b1e4-005056c00008}.TM.blf
2010-06-16 02:37:35 0 d-----w- c:\users\alecla~1\appdata\roaming\Spyware Terminator
2010-06-16 02:37:32 0 d-----w- c:\programdata\Spyware Terminator
2010-06-16 02:37:30 0 d-----w- c:\program files\Spyware Terminator
2010-06-16 01:51:06 0 d-----w- c:\program files\Windows AIK
2010-06-16 01:44:28 0 d-----w- c:\program files\Sophos
2010-06-16 00:05:56 0 d-----w- c:\program files\Microsoft Visual Studio 8
2010-06-15 23:25:26 0 d-----w- c:\program files\MSECache
2010-06-15 18:51:26 0 d-----w- c:\program files\UltraISO
2010-06-15 18:09:19 0 d-----w- c:\program files\EASEUS
2010-06-13 05:00:36 0 d-----w- c:\program files\Advantig
2010-06-11 17:02:35 2326528 ----a-w- c:\windows\system32\win32k.sys
2010-06-11 17:02:34 67584 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-11 17:02:23 977920 ----a-w- c:\windows\system32\wininet.dll
2010-06-11 17:02:14 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-06-11 17:02:13 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-11 04:26:25 0 d-----w- c:\programdata\{7269BE79-5722-4259-B764-61F0045B02FF}
2010-06-11 04:26:16 0 d-----w- c:\program files\LiveZilla
2010-06-07 04:11:02 0 d--h--w- c:\users\alec larsen\.zenmap
2010-06-07 03:50:43 0 d-----w- c:\program files\Nmap
2010-06-07 03:46:43 0 d-----w- c:\program files\Metasploit
2010-06-05 18:02:33 0 d-----w- c:\program files\TweetDeck
2010-06-04 22:32:45 0 d-----w- c:\programdata\Recovery
2010-06-04 19:49:14 12866560 ----a-w- C:\shell32.dll
2010-06-04 00:04:10 48836 ----a-w- c:\users\alec larsen\AlecBeta.contact
2010-06-03 21:43:23 0 d-----w- c:\users\alecla~1\appdata\roaming\lyx16
2010-06-03 04:03:31 0 d-----w- c:\users\alecla~1\appdata\roaming\MiKTeX
2010-06-03 03:28:47 0 d-----w- c:\programdata\MiKTeX
2010-06-03 03:24:30 0 d-----w- c:\program files\MiKTeX 2.8
2010-06-03 03:18:17 0 d-----w- c:\programdata\Aspell
2010-06-03 03:17:26 0 d-----w- c:\program files\LyX16
2010-06-03 03:13:08 0 d-----w- c:\program files\LEd
==================== Find3M ====================
2010-06-28 20:32:56 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-06-01 02:53:03 380928 ----a-w- C:\lame_enc.dll
2010-05-21 19:14:28 221568 ----a-w- c:\windows\system32\MpSigStub.exe
2010-05-21 02:26:23 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2010-05-14 23:06:37 41380 ----a-w- c:\windows\fonts\Bauhaus.ttf
2010-05-11 01:54:39 215628 ----a-w- c:\windows\fonts\Fluox__.ttf
2010-05-09 08:01:42 229224 ----a-w- c:\windows\system32\drivers\VMM.sys
2010-04-23 07:13:36 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-05 16:47:44 51556 ----a-w- c:\windows\fonts\Fineliner Script.otf
2010-04-04 03:18:32 133344 ----a-w- c:\windows\fonts\BROKEN_GHOST.ttf
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-01-29 23:18:56 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2010-01-29 23:18:56 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2010-01-29 23:18:56 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2010-01-29 23:18:56 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
============= FINISH: 12:59:27.88 ===============
What can I do to fix this?
-
Wrong forum.
-
Hello, and welcome to Computer Hope Forums!
I'm Crush but, you can call me Chris too :) and I will be helping you with your Malware issues
Please note the following information about the malware forum:
- Only members of the Malware Removal Specialist user group are allowed to give advice on removing malware from your computer. Do not follow the advice of anyone without that user title.
- From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
- Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
- If you have already asked for help somewhere, please post the link to the topic you were helped.
- We try our best to reply quickly, but for any reason we do not reply in two days, do this:
Reply to this topic with the word BUMP.
- Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.
Now that we have that out of the way:
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Under the Custom Scan box paste this in
netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%systemroot%\*. /mp /s
c:\$recycle.bin\*.* /s
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
nvstor32.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
explorer.exe
svchost.exe
userinit.exe
qmgr.dll
ws2_32.dll
proquota.exe
imm32.dll
kernel32.dll
ndis.sys
autochk.exe
spoolsv.exe
xmlprov.dll
ntmssvc.dll
mswsock.dll
Beep.SYS
ntfs.sys
termsrv.dll
sfcfiles.dll
st3shark.sys
ahcix86.sys
srsvc.dll
nvrd32.sys
/md5stop
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit>Select All, Edit>Copy) the contents of these files, one at a time