Jump to content
Taimaishu371

Unknown Malware/ Cannot detect with MBAM or SUPERantispyware

Recommended Posts

Earlier today my avg picked up constant infections (many of which are trojans), one notification after another, but was unable to heal anything. it was as if viruses are continuously coming through onto my computer or it was reproducing itself on my system. at first i did not experience any redirection on google, but after a good few hours i began to be redirected.

i noticed that a process called "PING.exe" was using a lot of CPU usage, but i know its usually not a harmful process, so it must be used by the malware.

i tried using rkill in safe mode and then mbam and superantispyware but nothing significant was picked up.

im currently in safe mode with networking right now but i have no idea what to do next. so what should i do? geek squad is way over-priced for virus removal.

.

DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK

Internet Explorer: 8.0.6001.19154 BrowserJavaVersion: 1.6.0_26

Run by Peter at 12:22:49 on 2011-12-04

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2558.1652 [GMT -5:00]

.

AV: AVG Anti-Virus Free *Enabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}

SP: AVG Anti-Virus Free *Enabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\explorer.exe

C:\Windows\helppane.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8

uWindow Title = Windows Internet Explorer provided by Yahoo!

uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8

uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

mDefault_Page_URL = hxxp://www.sony.com/vaiopeople

mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll

uURLSearchHooks: YTNavAssist.YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - c:\program files\yahoo!\companion\installs\cpn4\YTNavAssist.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn4\YTSingleInstance.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll

TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll

TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

uRun: [RunSpySweeperScheduleAtStartup] "c:\windows\system32\msfeedssync.exe" /ScheduleSweep=User_Feed_Synchronization-{4C534315-E4CB-4568-8B22-04AD5BA4C4F2}

uRun: [search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Rainlendar2] c:\program files\rainlendar2\Rainlendar2.exe

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

mRun: [symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"

mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRunOnce: [GrpConv] grpconv -o

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secunia psi tray.lnk - c:\program files\secunia\psi\psi_tray.exe

uPolicies-explorer: HideSCAHealth = 1 (0x1)

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000

IE: Transfer by Image Converter 3 - c:\program files\sony\image converter 3\menu.htm

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL

LSP: mswsock.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{1AA6E58D-AAEA-4597-97C3-288CFD31CD43} : DhcpNameServer = 7.254.254.254

TCP: Interfaces\{C1319178-532E-419E-BB89-4EDA91133B98} : DhcpNameServer = 192.168.1.1

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxdev.dll

Notify: VESWinlogon - VESWinlogon.dll

AppInit_DLLs: avgrsstx.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\peter\appdata\roaming\mozilla\firefox\profiles\h2alqhui.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2642707&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - TranslatorBar 5.2 Customized Web Search

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?ilc=1

FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2438727&q=

FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll

FF - component: c:\users\peter\appdata\roaming\mozilla\firefox\profiles\h2alqhui.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll

FF - component: c:\users\peter\appdata\roaming\mozilla\firefox\profiles\h2alqhui.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll

FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll

FF - plugin: c:\users\peter\appdata\local\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll

FF - plugin: c:\users\peter\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true

============= SERVICES / DRIVERS ===============

.

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-26 108552]

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-7-5 116608]

R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2011-11-9 4232704]

R3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\drivers\tap0901t.sys [2010-10-22 27136]

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-7 335240]

S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-7 27784]

S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-1-15 12880]

S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 67664]

S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-11-7 908056]

S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-11-7 297752]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-20 21504]

S2 gupdate1c9873a9bfa7297;Google Update Service (gupdate1c9873a9bfa7297);c:\program files\google\update\GoogleUpdate.exe [2009-2-4 133104]

S2 MSSQL$VAIO_VEDB;SQL Server (VAIO_VEDB);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2010-12-10 29293408]

S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]

S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-4-19 993848]

S2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-4-19 399416]

S2 TunngleService;TunngleService;c:\program files\tunngle\TnglCtrl.exe [2010-10-22 716024]

S2 VCL MySQL Database Server;VCL MySQL Database Server;c:\program files\chemistry lab\mysql\bin\mysqld.exe [2011-10-16 3956736]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-2-4 133104]

S3 ICScsiSV;Image Converter SCSI Service;c:\program files\sony\image converter 3\ICScsiSV.exe [2007-8-27 75952]

S3 IcVzMonLauncher;IcVzMonLauncher;c:\program files\sony\image converter 3\IcVzMonLauncher.exe [2007-8-27 67760]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]

S3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\system32\drivers\R5U870FLx86.sys [2007-5-1 74240]

S3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\system32\drivers\R5U870FUx86.sys [2007-5-1 43904]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 12872]

S3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [2007-5-1 31104]

S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-5-1 807424]

S3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\sony\vaio media integrated server\UCLS.exe [2007-8-27 745472]

S3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);c:\program files\sony\vaio media integrated server\platform\SV_Httpd.exe [2007-8-27 397312]

S3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\sony\vaio media integrated server\platform\UPnPFramework.exe [2007-8-27 1089536]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-12-04 03:25:13 388096 ----a-r- c:\users\peter\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2011-12-04 03:25:12 -------- d-----w- c:\program files\Trend Micro

2011-11-09 22:41:47 4232704 ----a-w- c:\windows\system32\drivers\NETw5v32.sys

2011-11-09 22:41:46 663552 ----a-w- c:\windows\system32\NETw5c32.dll

2011-11-09 22:41:46 2756608 ----a-w- c:\windows\system32\NETw5r32.dll

2011-11-09 07:00:36 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat

2011-11-09 07:00:34 913280 ----a-w- c:\windows\system32\drivers\tcpip.sys

2011-11-09 07:00:34 707584 ----a-w- c:\program files\common files\system\wab32.dll

2011-11-09 07:00:34 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys

.

==================== Find3M ====================

.

2011-12-03 04:25:30 138520 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2011-12-03 04:25:16 234536 ----a-w- c:\windows\system32\PnkBstrB.xtr

2011-12-03 04:25:16 234536 ----a-w- c:\windows\system32\PnkBstrB.exe

2011-09-30 23:06:24 916480 ----a-w- c:\windows\system32\wininet.dll

2011-09-30 23:02:06 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-09-30 23:01:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-09-30 23:01:34 71680 ----a-w- c:\windows\system32\iesetup.dll

2011-09-30 23:01:34 109056 ----a-w- c:\windows\system32\iesysprep.dll

2011-09-30 22:07:25 385024 ----a-w- c:\windows\system32\html.iec

2011-09-30 21:29:54 133632 ----a-w- c:\windows\system32\ieUnatt.exe

2011-09-30 21:28:36 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2011-09-29 20:48:03 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-09-06 13:30:12 2043392 ----a-w- c:\windows\system32\win32k.sys

.

dds.txt

Share this post


Link to post
Share on other sites

Create a support ticket so I can send you a system diagnostic and check for any unetected malware, and create a definition for it if possible. If you want to be safe and want an immediate resoultion, I would back up all your important documents and contact your PC manufacturer to see if there is a restore partition or other directions for reinstalling Windows.

Keep in mind it may be a virus, and SUPERAntiSpyware is not an anti-virus program and thus would not detect or remove it. You may also want to try running other anti-virus applications and seeing what they can detect and possibly fix.

Share this post


Link to post
Share on other sites

Create a support ticket so I can send you a system diagnostic and check for any unetected malware, and create a definition for it if possible. If you want to be safe and want an immediate resoultion, I would back up all your important documents and contact your PC manufacturer to see if there is a restore partition or other directions for reinstalling Windows.

Keep in mind it may be a virus, and SUPERAntiSpyware is not an anti-virus program and thus would not detect or remove it. You may also want to try running other anti-virus applications and seeing what they can detect and possibly fix.

how would i create a support ticket?

Share this post


Link to post
Share on other sites
Create a support ticket so I can send you a system diagnostic and check for any unetected malware, and create a definition for it if possible. If you want to be safe and want an immediate resoultion, I would back up all your important documents and contact your PC manufacturer to see if there is a restore partition or other directions for reinstalling Windows. Keep in mind it may be a virus, and SUPERAntiSpyware is not an anti-virus program and thus would not detect or remove it. You may also want to try running other anti-virus applications and seeing what they can detect and possibly fix.

SAS keeps saying "SUPERAntiSpyware is not an anti-virus program and thus would not detect or remove [a virus]." I run SAS Pro live and MBAM Pro live and they play happily together. I also run MS Security Essentials, dead or alive, who knows? MBAM is great for blocking IP pings, but has never detected a virus. SAS Pro was purchased December 9 and has detected and quarantined 3 Trojans, one in real-time and two in scans:

1. Trojan.Agent/Gen-Extorter.Process (real-time, caught in 5 files.)

2. Trojan.Agent/Gen (caught in 5 files, scan, 12-20-2011)

3. Trojan.Agent/Gen-Softonic.Downloader (in 3 files, scan, 12-08-2011)

Aren't these real? I'm not a newbie, and they sure seem real to me.

Laren

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×