Author Topic: espeak911, colexity 777 and other url malware problem. (Read 4280 times)

deacon23 · « **on:** August 20, 2012, 01:36:36 AM »

Hi guys I need help fixing this please.....Thanks. I am running vista on a dell pc

Pondus · « **Reply #1 on:** August 20, 2012, 01:40:47 AM »

attach logs here and help will arrive http://forum.avast.com/index.php?topic=53253.0

deacon23 · « **Reply #2 on:** August 20, 2012, 01:52:20 AM »

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.19.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Grayson Family Drug :: GRAYSONFAMILYDR [administrator]

Protection: Enabled

8/19/2012 6:56:06 PM
mbam-log-2012-08-19 (18-56-06).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 212287
Time elapsed: 10 minute(s), 44 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> 3452 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.

deacon23 · « **Reply #3 on:** August 20, 2012, 01:53:14 AM »

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.19.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Grayson Family Drug :: GRAYSONFAMILYDR [administrator]

Protection: Enabled

8/19/2012 6:56:06 PM
mbam-log-2012-08-19 (18-56-06).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 212287
Time elapsed: 10 minute(s), 44 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> 3452 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.

deacon23 · « **Reply #4 on:** August 20, 2012, 01:54:03 AM »

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-19 19:38:46
-----------------------------
19:38:46.474 OS Version: Windows x64 6.1.7601 Service Pack 1
19:38:46.474 Number of processors: 2 586 0x602
19:38:46.474 ComputerName: GRAYSONFAMILYDR UserName:
19:38:49.204 Initialize success
19:38:50.442 AVAST engine defs: 12081901
19:39:13.566 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000061
19:39:13.566 Disk 0 Vendor: ST332041 CC46 Size: 305245MB BusType: 11
19:39:13.566 Device \Driver\amdsata -> MajorFunction fffffa80036375e8
19:39:13.566 Disk 0 MBR read successfully
19:39:13.582 Disk 0 MBR scan
19:39:13.582 Disk 0 Windows VISTA default MBR code
19:39:13.582 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
19:39:13.598 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 15000 MB offset 80325
19:39:13.613 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 290205 MB offset 30800325
19:39:13.629 Disk 0 scanning C:\Windows\system32\drivers
19:39:25.813 Service scanning
19:39:45.210 Modules scanning
19:39:45.226 Disk 0 trace - called modules:
19:39:45.241 ntoskrnl.exe CLASSPNP.SYS disk.sys amdxata.sys >>UNKNOWN [0xfffffa80036375e8]<<
19:39:45.257 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80031e1060]
19:39:45.257 3 CLASSPNP.SYS[fffff8800161743f] -> nt!IofCallDriver -> [0xfffffa8003180760]
19:39:45.257 5 amdxata.sys[fffff8800108d7a8] -> nt!IofCallDriver -> \Device\00000061[0xfffffa800317d060]
19:39:45.273 \Driver\amdsata[0xfffffa8003578cc0] -> IRP_MJ_CREATE -> 0xfffffa80036375e8
19:39:49.141 AVAST engine scan C:\Windows
19:39:51.294 AVAST engine scan C:\Windows\system32
19:42:41.039 AVAST engine scan C:\Windows\system32\drivers
19:42:53.176 AVAST engine scan C:\Users\Grayson Family Drug
19:45:15.531 File: C:\Users\Grayson Family Drug\AppData\Local\Temp\B1B.tmp **INFECTED** Win32:Alureon-AVP [Trj]
19:47:57.878 Disk 0 MBR has been saved successfully to "C:\Users\Grayson Family Drug\Desktop\MBR.dat"
19:47:57.893 The log file has been saved successfully to "C:\Users\Grayson Family Drug\Desktop\aswMBR.txt

deacon23 · « **Reply #5 on:** August 20, 2012, 01:57:55 AM »

Would I be better off to just restore to factory using factory reinstall?

Pondus · « **Reply #6 on:** August 20, 2012, 07:09:04 AM »

The removers will fix this.... relax

they are notified

OBS....we also need the OTL.txt log ....that is the important one

essexboy · « **Reply #7 on:** August 20, 2012, 03:20:01 PM »

Could you attach the OTL log .. Meanwhile lets make a start

Download the latest version of TDSSKiller from here and save it to your Desktop.

Doubleclick on TDSSKiller.exe to run the application
Then click on Change parameters.
Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
Click the Start Scan button.
If a suspicious object is detected, the default action will be Skip, click on Continue.
If malicious objects are found, they will show in the Scan results and offer three (3) options.
Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Get the report by selecting Reports