Antivirus Soft 2010 infection

Okay, well I recently got infected with the antivirus soft 2010 virus and found a thread online that helped me remove it with MBAM. After the removal I’ve been getting redirected to different sites when googling for antivirus software(such as avast). I looked more into this online and found a thread here(which is this one http://forum.avast.com/index.php?topic=58496.0) on this site with someone who was getting redirected too. I ran a GMER scan on my computer and it turned up saying that there are suspicious modifications on PCI.sys and atapi.sys. Now i decided to post my problem here and seek help. Thanks in advance.

I also forgot to mention that I have been getting a lot of svchost.exe errors lately that lead to my computer being unresponsive until i do a hard reboot.

I suggest:

  1. Clean your temporary files.
  2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
  3. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
  4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
  6. Clean your Hosts file (replacing it) with HostsMan tool.
  7. Disable System Restore and then reenable it again.
  8. Immunize your system with SpywareBlaster.
  9. Check if you have insecure applications with Secunia Software Inspector.

Follow this guide from Essexboy, and post the log`s here
then he will have a look when he enter the forum ( usually late UK time )
http://forum.avast.com/index.php?topic=53253.0

Okay, so I did a boot up scan with avast and it found infected system restore files( I sent them all tot he chest). After that I scanned my computer with Dr. Web and it said this in the results: Process in memory: C:\WINDOWS\System32\svchost.exe:964;;BackDoor.Tdss.565;Eradicated.
After that I rebooted my computer and scanned it with MBAM. It found 1 infected system restore file and I sent it to the chest.
After I rebooted one more time I have been getting some svchost.exe errors and notifications on how the Generic Host Process for Win32 Services has been stopped.

I will be posting the logs from avast antirootkit, hijackthis and the OTL log here in a couple of minutes.

Based on the TDSS report - could you also run GMER to determine if the infection is still present. No requirement for the HJT log as it will show nothing

http://www.geekstogo.com/misc/guide_icons/gmer.png
GMER Rootkit Scanner - Download - Homepage
[] Download GMER
[
] Extract the contents of the zipped file to desktop.
[*] Double click GMER.exe.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif

[*] If it gives you a warning about rootkit activity and asks if you want to run a full scan…click on NO, then use the following settings for a more complete scan…
[*] In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
[] IAT/EAT
[
] Drives/Partition other than Systemdrive (typically C:)
[*] Show All (don’t miss this one)

http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg

Click the image to enlarge it

[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [Save…] button, and in the File name area, type in “ark.txt”
[*]Save the log where you can easily find it, such as your desktop.
CautionRootkit scans often produce false positives. Do NOT take any action on any “<— ROOKIT” entries
Please copy and paste the report into your Post.

Here are both OTL logs(gonna attach in two different posts since the files are too large)
Okay, I will post the GMER log in a couple of minutes.
I also have to mention that my computer has been rebooting randomly. It doesnt matter what I am doing but my screen all of a sudden turns black and my computer reboots.
Would you like a log from avast antirootkit?

heres the extras log form OTL

GMER Log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-02 18:26:48
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\pfriypow.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA8C4DC7A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA8C4DB36]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xA8C4E0EA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xA8C4E014]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA8C4D70C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA8C4DC10]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA8C4D64C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA8C4D6B0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA8C4DD30]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xA8C4E1B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA8C4DCF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xA8C4DE70]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xA8C5AAC6]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xA8C5A8EA]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xA8C5AA24]
Code 888D7CEC ZwRequestPort
Code 888D7D8C ZwRequestWaitReplyPort
Code 888D7C4C ZwTraceEvent
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code 888D7CEB NtRequestPort
Code 888D7D8B NtRequestWaitReplyPort
Code 888D7C4B NtTraceEvent
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2430 80501320 4 Bytes JMP 30A8C4E0
.text ntkrnlpa.exe!NtTraceEvent 80530C34 5 Bytes JMP 888D7C50
PAGE ntkrnlpa.exe!ZwLoadDriver 8057866C 7 Bytes JMP A8C5AA28 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!NtRequestPort 80596BE2 5 Bytes JMP 888D7CF0
PAGE ntkrnlpa.exe!NtRequestWaitReplyPort 80596F0E 5 Bytes JMP 888D7D90
PAGE ntkrnlpa.exe!NtCreateSection 8059F56A 7 Bytes JMP A8C5A8EE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805B0A76 5 Bytes JMP A8C56536 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject 805B7764 5 Bytes JMP A8C57EC2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C5F68 7 Bytes JMP A8C5AACA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
? cfrxkow.sys The system cannot find the file specified. !
.rsrc C:\WINDOWS\system32\drivers\pci.sys entry point in “.rsrc” section [0xBA776994]
.text win32k.sys!EngAcquireSemaphore + 20E2 BF8084A5 5 Bytes JMP 888D74D0
.text win32k.sys!EngFreeUserMem + 5B9B BF80EFF5 5 Bytes JMP 888D7430
.text win32k.sys!EngPaint + 4F1 BF825557 5 Bytes JMP 888D7610
.text win32k.sys!CLIPOBJ_bEnum + 2982 BF8314B8 5 Bytes JMP 888D7750
.text win32k.sys!EngUnmapFontFileFD + F669 BF841ADB 5 Bytes JMP 888D76B0
.text win32k.sys!FONTOBJ_pxoGetXform + D226 BF85B57E 5 Bytes JMP 888D7A70
.text win32k.sys!XLATEOBJ_iXlate + 3A46 BF871662 5 Bytes JMP 888D7570
.text win32k.sys!EngStretchBltROP + 34B9 BF8BA19B 5 Bytes JMP 888D7930
.text win32k.sys!EngAlphaBlend + 3E8 BF8C3275 5 Bytes JMP 888D77F0
.text win32k.sys!PATHOBJ_vGetBounds + 74F9 BF8F01A6 5 Bytes JMP 888D79D0
.text win32k.sys!EngCreateClip + 19C1 BF912FBD 5 Bytes JMP 888D7B10
.text win32k.sys!EngCreateClip + 1F51 BF91354D 5 Bytes JMP 888D7BB0
.text win32k.sys!EngCreateClip + 2597 BF913B93 5 Bytes JMP 888D7890

GMER Log Cont.:

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[892] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[892] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
.text C:\WINDOWS\System32\svchost.exe[892] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
.text C:\WINDOWS\System32\svchost.exe[892] USER32.dll!GetCursorPos 7E41BD76 5 Bytes JMP 0088000A
.text C:\WINDOWS\System32\svchost.exe[892] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 00A7000A
.text C:\Documents and Settings\Compaq_Owner\Desktop\gmer\gmer.exe[1132] USER32.dll!GetCursor 7E41D749 5 Bytes JMP 01461080 C:\Program Files\CursorXP\CurXP0.dll (CursorXP control panel/ )
.text C:\Documents and Settings\Compaq_Owner\Desktop\gmer\gmer.exe[1132] USER32.dll!DrawIconEx 7E41EB4E 5 Bytes JMP 01461120 C:\Program Files\CursorXP\CurXP0.dll (CursorXP control panel/ )
.text C:\Documents and Settings\Compaq_Owner\Desktop\gmer\gmer.exe[1132] USER32.dll!GetIconInfo 7E41F052 5 Bytes JMP 01461030 C:\Program Files\CursorXP\CurXP0.dll (CursorXP control panel/ )
.text C:\WINDOWS\Explorer.EXE[2612] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[2612] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[2612] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\Explorer.EXE[2612] USER32.dll!GetCursor 7E41D749 5 Bytes JMP 00F51080 C:\Program Files\CursorXP\CurXP0.dll (CursorXP control panel/ )
.text C:\WINDOWS\Explorer.EXE[2612] USER32.dll!DrawIconEx 7E41EB4E 5 Bytes JMP 00F51120 C:\Program Files\CursorXP\CurXP0.dll (CursorXP control panel/ )
.text C:\WINDOWS\Explorer.EXE[2612] USER32.dll!GetIconInfo 7E41F052 5 Bytes JMP 00F51030 C:\Program Files\CursorXP\CurXP0.dll (CursorXP control panel/ )
.text C:\Program Files\Pando Networks\Media Booster\PMB.exe[3128] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device → \Driver\atapi \Device\Harddisk0\DR0 88EC7EC5

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0002720f3932
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0002720f3932 (not active ControlSet)
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved{3A5B843C-3F8B-F081-5EAB-BDA7FD474D02}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved{3A5B843C-3F8B-F081-5EAB-BDA7FD474D02}@oaiaknmacapcfebjaoppofejdifocp 0x6A 0x61 0x69 0x70 …
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved{3A5B843C-3F8B-F081-5EAB-BDA7FD474D02}@naooabfagcjdlpgabfklkphoepbo 0x6B 0x61 0x62 0x70 …

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\pci.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\pci.sys suspicious modification File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification
This is the TDL3 rootkit lets hope it is not the latest version

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O33 - MountPoints2\{ab822e81-8a29-11dc-ba45-0011d872ad68}\Shell\AutoRun\command - "" = autorun.exe
O33 - MountPoints2\{bd36e10e-8b5b-11de-9ed4-0011d872ad68}\Shell\AutoRun\command - "" = autorun.exe
[2010/05/28 18:38:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\yfcqmsxrh
[2010/05/25 15:34:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\DaYaYArEaLaTiNo
[2008/05/02 23:17:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg7

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Go to Control Panel and select Internet Options
Select the Connections TAB
Select LAN settings button
Ensure there is no tick in the Proxy Server box
Select OK and restart Internet explorer

And for Firefox there are instructions on this page and you want the setting to be no proxy

FINALLY

Download TDSSKiller and save it to your Desktop.

[*]Extract the file and run it.
[*]Once completed it will create a log in your [b]C:[/b] drive
[]Reboot your computer
[
]Please post the contents of that log

Here is the OTL log

Thats the minor stuff gone - now lets see if TDSSKiller can get rid of the other one

Okay, so, before I had received your post to scan with TDSSKiller, I had found the TDDSKiller program. I had run the scan and it did find the rootkit. It rebooted and it seemed to have cleared out the problem. I then re-ran TDDSKiller and it did not find the infected file again. Heres the log from when it found the rootkit.

Looks good - any further problems ?

Thank you very much for your help, you helped me save my computers life!
My only problem right now is the random reboots I have been having, which I had mentioned earlier. I think it might be a hardware problem, probably the RAM, since my computer gives me a notification on reboot on how the source of the problem might be hardware related. Is there any way I can tell what the source of the problem is?

Download and run who crashed http://www.resplendence.com/whocrashed

This will give us an indication of what is causing the crashes

Hmm…the most common crash report I see is this one:

This was likely caused by the following module: ntoskrnl.exe
Bugcheck code: 0x1000000A (0x1D, 0x2, 0x0, 0x8050C1F2)
Error: Unknown
Dump file: C:\WINDOWS\Minidump\Mini052310-01.dmp
file path: C:\WINDOWS\system32\ntoskrnl.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: NT Kernel & System
The crash took place in a standard Microsoft module. Your system configuration may be incorrect, possibly the culprit is in another driver on your system which cannot be identified at this time.

Would you like me to post all of the crash reports?

Its really a process of elimination now - what programmes did you install or drivers/hardware did you update about the time this started ?

Well the only hardware I have installed on this computer is a 1GB stick of RAM, which is why I assume its this. The reboots/crashes have been happening for a long time now, and the reboots normally happen during memory intensive things. So I dont really think it has to do with programs I have installed. I also have to mention that large programs fail to install and give me a data1.cab error. They only install when I change my computers max memory in msconfig to something from 256-512 mb of ram.

Lets check out the memory stick - do you have just one or is it paired

The Windows Memory Diagnostics Tool is an easy to create, easy to use application available from Microsoft that is a valuable tool in troubleshooting suspected RAM problems. Download the tool and save the file to your desktop. Double click on the downloaded file to open the disk creation application.

When the downloaded file is opened, the creation software will start and you will be presented with a license agreement…accept that and you will see the options to create a bootable floppy diskette or to copy the CD image to a location on your computer as shown below.

http://i197.photobucket.com/albums/aa249/thesparkman/createit.png

When the “Create Startup Disk…” button is clicked, you will be prompted to select the floppy drive to use to create the disk. In the majority of cases, there will be only one choice and it will be selected by default as shown in the example below. Insert a diskette into the floppy drive and click on the “Create” button.

http://i197.photobucket.com/albums/aa249/thesparkman/createflop.png

When the “Save CD Image to Disk…” button is clicked, you will be prompted to save the CD image to a location on your computer. Save it to a location you will remember such as your My Documents folder or the desktop. In the example below, I’ve created a folder on the desktop named windiag to save the file to.

http://i197.photobucket.com/albums/aa249/thesparkman/savetodisk.png

Once the image has been saved to a location on your computer, you can use your burning software to burn the image to a cd. If your software doesn’t support burning ISO Images or you do not have burning software installed, you can use a tool like ISO Recorder which will add a “Copy Image to CD” option to the right click context menu. You can simply right click on the saved image and choose that option…the burning tool will open.

Use the disk you create to boot the computer. The diagnostics will run automatically and will continue to do so until it is terminated. It should be left to run for a minimum of four complete passes. If you have the time, an hour or two is better.

If the RAM module(s) is good, each test in each pass will display a green “Succeeded” message in the Pass field as shown in the image below.

http://i197.photobucket.com/albums/aa249/thesparkman/good.png

If the RAM module(s) is bad, one or more passes will display a red “Failed” message in the Pass field as shown in the image below.

http://i197.photobucket.com/albums/aa249/thesparkman/bad.png

Any failure in any test may indicate a bad module. If there is more than one module installed on the machine when a failure is indicated, remove all but one module and begin the test again, testing each module by itself until the failing module is found.

To terminate the diagnostics, remove the disk and press the X key or power the machine off.

Other things to try when faced with suspected memory problems:
[]Set the BIOS Fail Safe Defaults in Setup.
[
]Reset the CMOS. (Advanced)
[*]Adjust RAM voltage/timing. (Advanced)
Some platforms provide for changes to the RAM settings, some offer limited adjustment, and some will not have the option to change the RAM settings. Making changes to RAM settings in the BIOS is best left to advanced users.