IE ads pop up....disappears+Volume mutes regularly

Question

Rajesh S 0 Newbie Poster

14 Years Ago

Hello,
My computer faces the problem of internet explorer ads popping up(they never show up-i am able to see it when i press alt tab to check for the current programs running and its in there) and disappears the next moment. Plus the wave slider in the master volume window mutes automatically. Both these happen in regular intervals. Please suggest me something. I really hope u can help me out. My HiJack file is pasted below:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:43:40 PM, on 6/21/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:WINDOWSSystem32smss.exe
E:WINDOWSsystem32winlogon.exe
E:WINDOWSsystem32services.exe
E:WINDOWSsystem32lsass.exe
C:System Volume InformationMicrosoftservices.exe
E:WINDOWSsystem32svchost.exe
E:WINDOWSSystem32svchost.exe
E:WINDOWSsystem32svchost.exe
E:Program FilesAlwil SoftwareAvast5AvastSvc.exe
C:System Volume InformationMicrosoftsmss.exe
E:WINDOWSsystem32spoolsv.exe
E:WINDOWSSystem32svchost.exe
E:WINDOWSsystem32cisvc.exe
E:Program FilesJavajre6binjqs.exe
E:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
E:Program FilesCyberLinkShared FilesRichVideo.exe
E:Program FilesMicrosoft SQL Server90Sharedsqlwriter.exe
E:WINDOWSsystem32svchost.exe
E:Program FilesZTE Wireless TerminalbinMonServiceUDisk.exe
E:Program FilesCommon FilesUlead SystemsDVDULCDRSvr.exe
E:Program FilesYahoo!SoftwareUpdateYahooAUService.exe
E:WINDOWSsystem32wscntfy.exe
E:WINDOWSExplorer.EXE
E:Program FilesCyberLinkPowerDVDPDVDServ.exe
E:WINDOWSsystem32igfxtray.exe
E:WINDOWSsystem32hkcmd.exe
E:WINDOWSsystem32igfxpers.exe
E:WINDOWSRTHDCPL.EXE
E:Program FilesCommon FilesNokiaMPlatformNokiaMServer.exe
E:Program FilesMicrosoft OfficeOffice12GrooveMonitor.exe
E:Program FilesYahoo!Search ProtectionSearchProtection.exe
E:PROGRA~1INTERN~2netdet.exe
E:PROGRA~1ALWILS~1Avast5avastUI.exe
E:WINDOWSsystem32ctfmon.exe
E:Program FilesMessengermsmsgs.exe
E:WINDOWSsystem32igfxsrvc.exe
F:softwaresProcessExplorerprocexp.exe
E:Documents and SettingsUserLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
E:Documents and SettingsUserLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
E:WINDOWSsystem32cidaemon.exe
E:Documents and SettingsUserLocal SettingsApplication DataGoogleChromeApplicationchrome.exe
E:WINDOWSsystem32msiexec.exe
E:Program FilesTrend MicroHiJackThisHiJackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = [url]http://in.rd.yahoo.com/customize/ycomp/defaults/sp/*http://in.yahoo.com[/url]
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = [url]http://www.bsnl.co.in/[/url]
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = [url]http://in.yahoo.com[/url]
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = [url]http://in.yahoo.com[/url]
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = [url]http://in.rd.yahoo.com/customize/ycomp/defaults/su/*http://in.yahoo.com[/url]
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:Program FilesYahoo!CompanionInstallscpn0yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:Program FilesYahoo!CompanionInstallscpn0yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:Program FilesAdobeAcrobat 6.0ReaderActiveXAcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:PROGRA~1MICROS~2Office12GRA8E1~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - E:Program FilesGoogleGoogleToolbarNotifier5.2.4204.1700swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:Program FilesJavajre6binjp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:Program FilesJavajre6libdeployjqsiejqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - E:Program FilesYahoo!CompanionInstallscpn0YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:Program FilesYahoo!CompanionInstallscpn0yt.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - E:Program FilesStylerTBStylerTB.dll
O4 - HKLM..Run: [RemoteControl] "E:Program FilesCyberLinkPowerDVDPDVDServ.exe"
O4 - HKLM..Run: [LanguageShortcut] "E:Program FilesCyberLinkPowerDVDLanguageLanguage.exe"
O4 - HKLM..Run: [IgfxTray] E:WINDOWSsystem32igfxtray.exe
O4 - HKLM..Run: [HotKeysCmds] E:WINDOWSsystem32hkcmd.exe
O4 - HKLM..Run: [Persistence] E:WINDOWSsystem32igfxpers.exe
O4 - HKLM..Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..Run: [NokiaMServer] E:Program FilesCommon FilesNokiaMPlatformNokiaMServer /watchfiles
O4 - HKLM..Run: [GrooveMonitor] "E:Program FilesMicrosoft OfficeOffice12GrooveMonitor.exe"
O4 - HKLM..Run: [YSearchProtection] "E:Program FilesYahoo!Search ProtectionSearchProtection.exe"
O4 - HKLM..Run: [Iusage] E:PROGRA~1INTERN~2netdet.exe
O4 - HKLM..Run: [avast5] E:PROGRA~1ALWILS~1Avast5avastUI.exe /nogui
O4 - HKLM..Run: [MotiveReportAgent] "E:Program FilesCommon FilesMotiveMcciBootStrapper.exe" /url="-APPKEY=Motive -WindowContext=ReportAgent -url=file://E:Program FilesCommon FilesMotiveReportAgent.html" /browsertype=CustomMSIE /browserpath="E:Program FilesCommon FilesMotiveMotiveBrowser.exe" /hidden
O4 - HKLM..Run: [AdobeAAMUpdater-1.0] "E:Program FilesCommon FilesAdobeOOBEPDAppUWAUpdaterStartupUtility.exe"
O4 - HKLM..Run: [AdobeCS5ServiceManager] "E:Program FilesCommon FilesAdobeCS5ServiceManagerCS5ServiceManager.exe" -launchedbylogin
O4 - HKLM..Run: [SwitchBoard] E:Program FilesCommon FilesAdobeSwitchBoardSwitchBoard.exe
O4 - HKCU..Run: [ctfmon.exe] E:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [MSMSGS] "E:Program FilesMessengermsmsgs.exe" /background
O4 - HKCU..Run: [Google Update] "E:Documents and SettingsUserLocal SettingsApplication DataGoogleUpdateGoogleUpdate.exe" /c
O4 - HKCU..Run: [Search Protection] E:Program FilesYahoo!Search ProtectionSearchProtection.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:PROGRA~1MICROS~2Office12EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - E:Program FilesPokerStarsPokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:PROGRA~1MICROS~2Office12REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:Program FilesMessengermsmsgs.exe
O17 - HKLMSystemCCSServicesTcpip..{D12CF908-06F1-402D-A7FF-6A7A08DB51B1}: NameServer = 192.168.1.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:PROGRA~1MICROS~2Office12GR99D3~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - E:WINDOWSsystem32browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - E:WINDOWSsystem32browseui.dll
O23 - Service: avast! Antivirus - ALWIL Software - E:Program FilesAlwil SoftwareAvast5AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:Program FilesAlwil SoftwareAvast5AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:Program FilesAlwil SoftwareAvast5AvastSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:Program FilesCommon FilesMacrovision SharedFLEXnet PublisherFNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - E:Program FilesGoogleUpdateGoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - E:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:Program FilesJavajre6binjqs.exe
O23 - Service: NBService - Nero AG - E:Program FilesNeroNero 7Nero BackItUpNBService.exe
O23 - Service: NMIndexingService - Nero AG - E:Program FilesCommon FilesAheadLibNMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - E:Program FilesCyberLinkShared FilesRichVideo.exe
O23 - Service: ServiceLayer - Nokia. - E:Program FilesNokiaPC Connectivity SolutionServiceLayer.exe
O23 - Service: SuperProServer - Unknown owner - C:Tally 7.2spnsrvnt.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - E:Program FilesCommon FilesAdobeSwitchBoardSwitchBoard.exe
O23 - Service: Tally License Server (NT) (Tally License Server) - Unknown owner - D:Tallytallylicserver.exe
O23 - Service: UDisk Monitor - Unknown owner - E:Program FilesZTE Wireless TerminalbinMonServiceUDisk.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - E:Program FilesCommon FilesUlead SystemsDVDULCDRSvr.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - E:Program FilesYahoo!SoftwareUpdateYahooAUService.exe

--
End of file - 9476 bytes



<config>Windows XP / Safari 533.4</config>

windows-virus

Edited 11 Years Ago by mike_2000_17 because: Fixed formatting

7 Contributors
17 Replies
224 Views
2 Weeks Discussion Span
Latest Post 14 Years Ago Latest Post by truckless

Biker920 0 Posting Whiz in Training

14 Years Ago

Welcome to DaniWeb Now Go here and do exactly what is instructed http://www.daniweb.com/forums/thread134865.html some one will be along to help soon. Later---

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Rajesh S 0 Newbie Poster · Answer 1 · 2010-06-22T20:30:50+00:00

Thanks a lot for your suggestions. I am currently doing all the prescribed scans and will get soon to post the results.

truckless 0 Newbie Poster · Answer 2 · 2010-06-23T01:40:59+00:00

I have exactly the same problem... Interesting timing.

I contracted this "issue" on the same day that I installed TOR, and my ISP's link with the US went down - it was a long time before I finally did a traceroute and so up until this point I was convinced that TOR had screwed up my TCP stack. I temporarily disabled my firewall, among a host of other things (including running adaware / spybot s&d scans).

I now have this problem. It seems probable that this is a fairly new piece of malware? To clarify: sporadic internet explorer (6) popups on desktop (about 1 every 10 minutes), and sporadic system wave volume drops to 0.

truckless 0 Newbie Poster · Answer 3 · 2010-06-23T04:03:00+00:00

*#$&^. Just wrote a big reply here, clicked "Post reply" and got redirected to login page. GAAH!!

Anyway. Managed to fix this problem on my machine. The following is a VERY sparse description of how I did so.

Incidentally, a bit of googling reveals this is a pretty new threat - lots of people became infected on sunday, and so far there's no packaged fix for it. Anyway, to get the ball rolling:

on my system, the offending files were in c:\System Volume Information - they may be different on yours. Run procmon and find the 'clearly not windows' versions of these exes (they won't have descriptions, and won't live in system32. Also, the company seems to be listed as "Black Internet")

Files:
- services.exe
- smss.exe

Copies of these files were also in my local settings/temp directory, along with another called loader.exe - i'd recommend getting rid of them.

Tools:
- procexp
- cygwin (not necessary, but you might have difficulty getting access to SystemVolumeInformation with explorer. I didn't try cmd, just went straight to cygwin)
- unlocker1.8.8-portable

Steps:
- run procexp
- find both "fake" processes (not the system32 ones!)
- don't terminate - they'll just reboot each other. Instead, right click, suspend both of them.
- run unlocker
- for each file:
-->find file in unlocker
--> click unlock!
--> navigate to file in cmd / cygwin - delete it
- return to procexp
- kill both processes
- done

Addendum: One other thing i did in this process, although i don't think this is necessary, was to change the permissions of these two processes to deny all (i did this before i suspended them), in procexp. You probably don't need to, but it's worth mentioning.

Best of luck.

P.S. If this is convoluted, countless hundreds of step by step guides will be appearing on the net over the next few days :)

Rajesh S 0 Newbie Poster · Answer 4 · 2010-06-23T08:19:57+00:00

Thanks a lot .....truckless...for your post. I am sure its gonna help me. But then you said that these 2 processes are fake(in C:\SystemVolumeInformation)but then in steps....u have mentioned to find these files using unlocker to unlock them. I couldnt find them at all. Please help me out.

Rajesh S 0 Newbie Poster · Answer 5 · 2010-06-23T08:30:26+00:00

Thanks a lot .....truckless...for your post. I am sure its gonna help me. But then you said that these 2 processes are fake(in C:\SystemVolumeInformation)but then in steps....u have mentioned to find these files using unlocker to unlock them. I couldnt find them at all. Please help me out.

truckless 0 Newbie Poster · Answer 6 · 2010-06-23T13:22:59+00:00

Did you find them in procexp? Make a note of their locations - the process's path will appear if you hover over it, or if you right-click->properties.

If you've found the path, but you simply can't see that particular folder in unlocker, it's likely that unlocker isn't showing hidden system folders (of which System Volume Information is). Open My Computer, click tools->folder options (in XP). Go to view tab, check "Show hidden files and folers" and uncheck "Hide protected operating system files". You should now be able to see this folder in both explorer and unlocker.

truckless 0 Newbie Poster · Answer 7 · 2010-06-23T17:03:22+00:00

I just had a look at the log in your first post. You do have the same files:
> C:\System Volume Information\Microsoft\services.exe
> C:\System Volume Information\Microsoft\smss.exe

Follow the instructions above to display protected OS files and you will be able to see the folder in unlocker

Rajesh S 0 Newbie Poster · Answer 8 · 2010-06-23T23:09:25+00:00

up...got it...but i really dont know linux....so can u just paste the commands that you executed in cygwin to get rid of this??

truckless 0 Newbie Poster · Answer 9 · 2010-06-24T17:27:50+00:00

sure:
rm -f /c/cygdrive/System\ Volume\ Information/Microsoft/*

Rajesh S 0 Newbie Poster · Answer 10 · 2010-06-26T07:24:42+00:00

Hello,
I have done all scans as prescribed. But couldn't run DDS SCAN inspite of disabling Antivirus.
My computer faces the problem of internet explorer ads popping up(they never show up-i am able to see it when i press alt tab to check for the current programs running and its in there) and disappears the next moment. Plus the wave slider in the master volume window mutes automatically. Both these happen in regular intervals. Please suggest me something. I really hope u can help me out.

MalwareBytesAntimalware:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4217

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

6/21/2010 12:26:07 PM
mbam-log-2010-06-21 (12-26-07).txt

Scan type: Quick scan
Objects scanned: 139237
Time elapsed: 5 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER ONE:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-06-23 12:45:07
Windows 5.1.2600 Service Pack 2
Running: f6e0noxb.exe; Driver: E:\DOCUME~1\User\LOCALS~1\Temp\fwtyykoc.sys

---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xAA086AC6]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xAA0868EA]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xAA086A24]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----

GMER TWO:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-23 16:05:37
Windows 5.1.2600 Service Pack 2
Running: f6e0noxb.exe; Driver: E:\DOCUME~1\User\LOCALS~1\Temp\fwtyykoc.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xAA079C7A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xAA079B36]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xAA07A0EA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xAA07A014]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAA07970C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xAA079C10]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xAA07964C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xAA0796B0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xAA079D30]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xAA07A1B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAA079CF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xAA079E70]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xAA086AC6]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xAA0868EA]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xAA086A24]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----

Couldn't run DDS SCAN...opens in notepad :(

grosves 0 Newbie Poster · Answer 11 · 2010-06-26T14:48:08+00:00

Hi,

Truckless, I tried your method and it worked for me to the extent that the services and smss .exes are sometimes deleted after a reboot. But on subsequent reboots, they have reappeared, so something else seems to be creating them anew.

Also, since getting this virus, my PC won't boot up normally if any external drives or optical discs are in, despite going into the BIOS menus and checking that it should be booting off C:. instead I have to go into the F10 bootup menu and boot from there, in which case I sometimes get a login screen for XP asking for my password - but there isn't one, and it won't let me onto the desktop without one.

know this all seems inconsistent. I have done a couple of reboots wherre the smss and services files did not regenerate on startup, but not sure what the variables were - possibly that was a restart without external drives attached that did not require going into the F10 menu on bootup. I have turned System Restore off.

Any thoughts appreciated!

Tom10 0 Newbie Poster · Answer 12 · 2010-06-27T08:44:44+00:00

My laptop seems to have picked up the same virus - wave slider on volume control muting, IE popups, got asked for a password to log onto XP even though I didn't set a password. Also, an audio ad for Dettol plays in the background at times for no reason when I turn the volume back up. Currently searching for the files Truckless mentioned.

To echo what grosves said - any help will be gratefully received!

lordofsarcasm 0 Newbie Poster · Answer 13 · 2010-06-30T10:56:10+00:00

Same issue here-I used both malwarebytes and prevyx cause I wasn't sure how to find the files-and prevyx found 4 files-2 of which are smss.exe and another exe hiding in the temp folder as well as another file...not sure what to do!

Echoing again the above-any help? that would be awesome

grosves 0 Newbie Poster · Answer 14 · 2010-06-30T14:34:35+00:00

Finally cleared the smss and services files. Look on this thread, where "Dr. Moriarty" provides the solution I used:

http://forums.majorgeeks.com/showthread.php?t=217807

madmachine 0 Newbie Poster · Answer 15 · 2010-07-05T15:11:14+00:00

I got up to locating the two processes but i can't open UnlockerPortable.exe...it dosen't open. Any ideas on that?

truckless 0 Newbie Poster · Answer 16 · 2010-07-05T23:49:24+00:00

madmachine - my original suggestion was insufficient; the virus infects your master boot record. Following Dr. Moriarty's instructions, download bootkit_remover ( http://www.esagelab.com/files/bootkit_remover.rar ) - you'll need to disinfect your windows drive ( 'c:' unless you've changed it ).

Presumably if you disinfect, the process won't get loaded on your next boot, in which case you won't need unlocker - just delete the files.