Jump to content

Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Cant remove virus/trojan (Generic PWS.y!ti) ?

  • This topic is locked This topic is locked
2 replies to this topic

#1 zeep


  • Members
  • 2 posts
  • Local time:11:11 PM

Posted 07 October 2009 - 08:30 AM

I got a rar file from a friend that has apparently infected my pc. According to my VShield the name is Generic PWS.y!ti.
It's main location from what i've learned so far is C:\lsass.exe. It keeps extensions and system files hidden, this is how i found out my infection because i do not have extensions and system files hidden normally.

From a dos window i can see the file in my root. (dir /a)
08/04/2004  14:00		   380,928 lsass.exe

When i'm in Windows my VShield keeps alerting me, C:\lsass.exe\000535a8.EXE cannot be cleaned. Neither can i move or delete it.
Using a 3rd party program (hiddenfinder) i did Properties of the lsass.exe located in the root and it strangely enough had a Font tab. So maybe it has itself connectec to fonts too?!

I searched my registry and it has 'connected' itself to userinit.exe:
HLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogin C:\WINDOWS\system32\userinit.exe,c:\lsass.exe

My OS is Windows XP SP2

This is my hyjackthis log and DDS log. I hope somebody can help me get rid of this bugger.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:30:10, on 10/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiddenFinder\hiddenfinder.exe
C:\Documents and Settings\z\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,c:\lsass.exe
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [MAFWTaskbarApp] C:\WINDOWS\system32\MAFWTray.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

End of file - 3823 bytes

DDS log:

DDS (Ver_09-09-29.01) - NTFSx86
Run by z at 15:21:00.10 on Wed 10/07/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2355 [GMT 2:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Network Associates\On Demand Scanner\Scan32\SCAN32.EXE
C:\Documents and Settings\z\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\lsass.exe
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
mRun: [MAFWTaskbarApp] c:\windows\system32\MAFWTray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\z\applic~1\mozilla\firefox\profiles\4zoc2tw4.default\
FF - prefs.js: browser.startup.homepage - www.google.com

============= SERVICES / DRIVERS ===============

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [2008-6-4 156800]
R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [2008-6-4 5248]
R0 NaiFsRec;NaiFsRec;c:\windows\system32\drivers\naifsrec.sys [2001-4-30 4512]
R2 AvSynMgr;AVSync Manager;c:\program files\network associates\virusscan\Avsynmgr.exe [2001-4-30 155665]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2009-6-23 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2009-6-23 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2009-6-23 566296]
R3 MAFW;MAFW;c:\windows\system32\drivers\mafw.sys [2008-5-30 186368]
R3 McShield;McShield;c:\program files\common files\network associates\mcshield\Mcshield.exe [2001-4-30 229499]
R3 NaiFiltr;NaiFiltr;c:\program files\common files\network associates\mcshield\naifiltr.sys [2001-4-30 24480]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2009-6-23 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-8-26 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2009-6-23 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2009-6-23 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2009-6-23 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2009-6-23 566296]
S3 KORGUMDS;KORG USB-MIDI Driver for Windows;c:\windows\system32\drivers\KORGUMDS.SYS [2008-10-29 21720]

=============== Created Last 30 ================

==================== Find3M ====================

2009-10-04 16:16 190,144 a------- c:\windows\system32\PnkBstrB.exe
2009-10-04 15:44 138,808 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-08-26 11:10 444,952 a------- c:\windows\system32\wrap_oal.dll
2009-08-26 11:10 109,080 a------- c:\windows\system32\OpenAL32.dll
2009-07-19 00:58 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-07-12 02:58 895,736 a------- c:\windows\system32\wmvdmod.dll
2008-06-10 19:28 87,608 a------- c:\docume~1\z\applic~1\inst.exe
2008-06-10 19:28 47,360 a------- c:\docume~1\z\applic~1\pcouffin.sys
2006-06-23 08:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe

============= FINISH: 15:21:12.04 ===============

BC AdBot (Login to Remove)


#2 zeep

  • Topic Starter

  • Members
  • 2 posts
  • Local time:11:11 PM

Posted 10 October 2009 - 04:33 AM

Well after 3 days i must say i really hoped someone could help me get this virus beaten. I guess no experts have been present in the forum. I read that it normally takes 24 hours tops for a reply! :(

Well guys, for what it's worth, i got the virus out myself. In case somebody else gets the same virus just just Malwarebytes' Anti-Malware. It seems to work good enough to rid of the virus after a reboot.
At first i was manually deleting reg keys, (the virus kept sticking itself to userinit.exe), but it kept coming back.


#3 m0le


    Can U Dig It?

  • Malware Response Instructor
  • 33,456 posts
  • Gender:Male
  • Location:London, UK
  • Local time:11:11 PM

Posted 22 October 2009 - 07:01 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
[If I have helped you fix your PC then please donate. Thanks
m0le is a proud member of UNITE

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users