Windows Quick System Eraser V.1

ephemeridos
ephemeridos
in Malware talk

hi,


i need urgent help if possible. thank you in advance.


i'm having problems with a program that activates with every computer start. it's called windows quick system eraser and it has following message "wait until your system is complitely erased". an alarm sound is activated too. i don't know what to do. i've had visrus which was discovered and cleaned by bitdefender online scan. i have also some error messages. one of them is dwwin.exe and the rest i can not identify.


i've done also a malwarebyte scan in safe mode and this is the result. unfortunately the problem still exists. can anyone help me?


Malwarebytes' Anti-Malware 1.28


Datenbank Version: 1134


Windows 5.1.2600 Service Pack 3


15.09.2008 19:49:41


mbam-log-2008-09-15 (19-49-41).txt


Scan-Methode: Vollständiger Scan (C:\|)


Durchsuchte Objekte: 151398


Laufzeit: 31 minute(s), 30 second(s)


Infizierte Speicherprozesse: 0


Infizierte Speichermodule: 0


Infizierte Registrierungsschlüssel: 11


Infizierte Registrierungswerte: 2


Infizierte Dateiobjekte der Registrierung: 0


Infizierte Verzeichnisse: 0


Infizierte Dateien: 6


Infizierte Speicherprozesse:


(Keine bösartigen Objekte gefunden)


Infizierte Speichermodule:


(Keine bösartigen Objekte gefunden)


Infizierte Registrierungsschlüssel:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.


HKEY_CLASSES_ROOT\TypeLib\{f0d4b230-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.


HKEY_CLASSES_ROOT\Interface\{f0d4b23a-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.


HKEY_CLASSES_ROOT\Interface\{f0d4b23c-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.


HKEY_CLASSES_ROOT\CLSID\{b15fd82e-85bc-430d-90cb-65db1b030510} (Adware.AskSBAR) -> Quarantined and deleted successfully.


HKEY_CLASSES_ROOT\CLSID\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.


HKEY_CLASSES_ROOT\CLSID\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.


HKEY_CLASSES_ROOT\CLSID\{f0d4b23b-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{f0d4b23b-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.


Infizierte Registrierungswerte:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.


HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.


Infizierte Dateiobjekte der Registrierung:


(Keine bösartigen Objekte gefunden)


Infizierte Verzeichnisse:


(Keine bösartigen Objekte gefunden)


Infizierte Dateien:


C:\Programme\AskSBar\bar\1.bin\A2HIGHIN.EXE (Trojan.Agent) -> Quarantined and deleted successfully.


C:\Programme\AskSBar\bar\1.bin\A2PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.


C:\Programme\AskSBar\bar\1.bin\ASKSBAR.DLL (Adware.AskSBAR) -> Quarantined and deleted successfully.


C:\Programme\AskSBar\bar\1.bin\NPASKSBR.DLL (Trojan.Agent) -> Quarantined and deleted successfully.


C:\Programme\Mozilla Firefox\plugins\NPAskSBr.dll (Trojan.Agent) -> Quarantined and deleted successfully.


C:\Programme\Setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.

Comments

  • Sm3K3R
    Sm3K3R ✭✭✭
    edited September 2008

    I think you will need to use aditionally Super AntiSpyware ,Spybot Search & Distroy, Spyware Doctor and Adaware 2008.


    You could also try and post a Hijackthis log ( http://www.trendsecure.com/portal/en-US/to...ools/hijackthis ) for a better look on your infection.

  • rootkit
    rootkit ✭✭✭
    edited September 2008

    Post here a Hijackthis log !


    Instructions: http://forum.bitdefender.com/index.php?showtopic=5668

  • ephemeridos
    ephemeridos
    edited September 2008

    hi guys


    thank you so much for your replies. i have gotten a support that night in another forum. the malicious software was removed after few hours working.


    i still have problem with a dwwin.exe error message by computer shut down or restart. receiving the same error message has started at the time when my computer was infected. i have tried out to disable dr. watson or even delet the AeDebug registry key. i'm still gettin the same error message.


    if you guys have an useful advice it will be greatly appreciated.


    this is the hijack scan of today


    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 12:42:59, on 18.09.2008


    Platform: Windows XP SP3 (WinNT 5.01.2600)


    MSIE: Internet Explorer v7.00 (7.00.6000.16705)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\csrss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Programme\Gemeinsame Dateien\BitDefender\BitDefender Update Service\livesrv.exe


    C:\Programme\BitDefender\BitDefender 2009\vsserv.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\WINDOWS\Explorer.EXE


    C:\WINDOWS\RTHDCPL.EXE


    C:\Programme\Intel\Intel Matrix Storage Manager\Iaanotif.exe


    C:\Programme\Synaptics\SynTP\SynTPEnh.exe


    C:\Programme\Keyboard Manager\Manager Utility\KeyboardManager.exe


    C:\Programme\Motorola\SMSERIAL\sm56hlpr.exe


    C:\Programme\CyberLink\PowerDVD\PDVDServ.exe


    C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe


    C:\Programme\BitDefender\BitDefender 2009\bdagent.exe


    C:\Programme\Java\jre1.6.0_07\bin\jusched.exe


    C:\Programme\BillP Studios\WinPatrol\winpatrol.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\Programme\Vidalia Bundle\Vidalia\vidalia.exe


    C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe


    C:\Programme\Vidalia Bundle\Privoxy\privoxy.exe


    C:\Programme\Vidalia Bundle\Tor\tor.exe


    C:\Programme\Intel\Intel Matrix Storage Manager\Iaantmon.exe


    C:\WINDOWS\system32\nvsvc32.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\wdfmgr.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\System32\alg.exe


    C:\Programme\BitDefender\BitDefender 2009\seccenter.exe


    C:\Programme\Messenger\msmsgs.exe


    C:\Programme\MSN Messenger\msnmsgr.exe


    C:\Programme\MSN Messenger\usnsvc.exe


    C:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe


    C:\Programme\Mozilla Firefox\firefox.exe


    C:\Programme\Trend Micro\HijackThis\sniper.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com/


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


    O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll


    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll


    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll


    O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Programme\BitDefender\BitDefender 2009\IEToolbar.dll


    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup


    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install


    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"


    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE


    O4 - HKLM\..\Run: [iAAnotif] "C:\Programme\Intel\Intel Matrix Storage Manager\Iaanotif.exe"


    O4 - HKLM\..\Run: [synTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe


    O4 - HKLM\..\Run: [Keyboard Manager Utility] "C:\Programme\Keyboard Manager\Manager Utility\KeyboardManager.exe" /lang DE /H


    O4 - HKLM\..\Run: [sMSERIAL] C:\Programme\Motorola\SMSERIAL\sm56hlpr.exe


    O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe


    O4 - HKLM\..\Run: [ulead AutoDetector v2] C:\Programme\Gemeinsame Dateien\Ulead Systems\AutoDetector\monitor.exe


    O4 - HKLM\..\Run: [bDAgent] "C:\Programme\BitDefender\BitDefender 2009\bdagent.exe"


    O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Programme\BitDefender\BitDefender 2009\IEShow.exe"


    O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"


    O4 - HKLM\..\Run: [WinPatrol] C:\Programme\BillP Studios\WinPatrol\winpatrol.exe -expressboot


    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKCU\..\Run: [Vidalia] "C:\Programme\Vidalia Bundle\Vidalia\vidalia.exe"


    O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe


    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')


    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')


    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')


    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')


    O4 - Global Startup: hpoddt01.exe.lnk = ?


    O4 - Global Startup: Privoxy.lnk = C:\Programme\Vidalia Bundle\Privoxy\privoxy.exe


    O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000


    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll


    O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll


    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe


    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe


    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe


    O12 - Plugin for .UVR: C:\Programme\Internet Explorer\Plugins\NPUPano.dll


    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab


    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab


    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1162468014625


    O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab


    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab


    O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll


    O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Programme\Gemeinsame Dateien\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe


    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe


    O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Programme\NOS\bin\getPlus_HelperSvc.exe


    O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Programme\Intel\Intel Matrix Storage Manager\Iaantmon.exe


    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Programme\Gemeinsame Dateien\BitDefender\BitDefender Update Service\livesrv.exe


    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


    O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Programme\BitDefender\BitDefender 2009\vsserv.exe


    --


    End of file - 8059 bytes

  • rootkit
    rootkit ✭✭✭

    The log is clean :)

  • ephemeridos
    ephemeridos

    ok. thank you :)

All Time Leaders

Categories

Defenders of the month